ABSTRACT
An intrusion detection system monitors and analyzes all the incoming packets, on a given network, to detect any corresponding vulnerabilities and intrusions. It consists of four major modules: packet capturing, packet decoding, packet preprocessing and string/pattern matching. Among these, the string matching is computationally the most intensive part and a number of hardware architectures/designs have already been proposed to accelerate its performance. Consequently, an exploration of existing hardware architectures for string matching algorithms is critical. This paper identifies the most frequently used string matching algorithms and techniques, utilized for the hardware implementation. Subsequently, an exploration of various hardware architectures is provided for the identified algorithms and techniques. Finally, the implementation details of explored architectures are discussed in terms of the used device, consumed hardware resources, operational clock frequency and throughput.
- P. M. K. Tharaka, D. M. D. Wijerathne, N. Perera, D. Vishwajith and A. Pasqual, "Runtime Rule-Reconfigurable High Throughput NIPS on FPGA," International Conference on Field Programmable Technology (ICFPT), Melbourne, 2017, pp. 251--254.Google Scholar
- D. Pao and X. Wang, "Multi-Stride String Searching for High-Speed Content Inspection," The Computer Journal, vol. 55, pp. 1216--1231, 2012.Google ScholarDigital Library
- D. PAO, W. LIN and B. LIU, "A Memory-Efficient Pipelined Implementation of the Aho-Corasick String-Matching Algorithm," ACM Transaction on Architecture and Code Optimization, vol. 7, pp. 1--27, 2010.Google ScholarDigital Library
- X. Wang and D. Pao, "Memory based architecture for multi character Aho Corasick string matching," Transaction on VLSI Systems, vol. 26, pp.143--154, 2018.Google ScholarCross Ref
- Domínguez, P. P. Carballo and A. Nunez, "Programmable SoC Platform for Deep Packet Inspection using Enhanced Boyer-Moore Algorithm," 12th International Symposium on Recotnfigurable Communication-centric Systems-on-Chip (ReCoSoC), Madrid, 2017, pp. 1--8.Google Scholar
- I. Sarbishei, S. Vakili, J.M. P. Langlois, and Y. Savaria, "Scalable Memory-Less Architecture for String Matching With FPGAs," IEEE International Symposium on Circuits and Systems (ISCAS), Baltimore, 2017, pp. 1--4.Google Scholar
- S. Pontarelli, G. Bianchi, and S. Teofili, "Traffic-Aware Design of a High-Speed FPGA Network Intrusion Detection System," Transactions on Computers, vol. 62, pp. 2322--2333, 2013.Google ScholarDigital Library
- J. M. Bande, J. H. Palancar and R. Cumplido, "Multi-character Cost-effective and High Throughput Architecture for Content Scanning," Microprocessors and Microsystems, vol. 37, pp. 1200--1207, 2013.Google ScholarDigital Library
- H. Kim, K. Choi and S. Choi, "A Memory-Efficient Deterministic Finite Automaton-Based Bit-Split String Matching Scheme Using Pattern Uniqueness in Deep Packet Inspection," PLoSONE, vol. 10, pp. 1--24, 2015.Google Scholar
- H. J. Kim, H. S. Kim, and S. Kang, "A Memory-Efficient Bit-Split Parallel String Matching Using Pattern Dividing for Intrusion Detection Systems," Transaction on Parallel and Distributed Systems, vol. 22, pp. 1904--1911, 2011.Google ScholarDigital Library
- M. Arun and A. Krishnan, "Functional Verification of Signature Detection Architectures for High Speed Network Applications," International Journal of Automation and Computing, vol. 9, pp. 395--402, 2012.Google ScholarDigital Library
- T. N. Thinh and S. Kittitornkun, "Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS," 5th International Symposium on Electronic, Design, Test and Applications, Ho Chi Minh, Vietnam, 2010, pp. 217--221.Google Scholar
- O. Erdem, "Tree-based String Pattern Matching on FPGAs," Computers and Electrical Engineering, vol. 49, pp. 117--133, 2016.Google ScholarDigital Library
- M. H. Hajiabadi, H. Saidi and M. Behdadfar, "Scalable High-Throughput and Modular Hardware Based String Matching Algorithm," 11th International ISC Conference on Information Sec and Cryptology, Tehran, 2014, pp.192--198.Google Scholar
- H. Le and V. K. Prasanna, "A Memory-Efficient and Modular Approach for Large-Scale String Pattern Matching," IEEE Transaction on Computers, vol. 62, pp. 844--857, 2013.Google ScholarDigital Library
- C. H. Lin, and S. C. Chang, "Efficient Pattern Matching Algorithm for Memory Architecture," Transaction on VLSI Systems, vol. 19, pp. 33--40, 2011.Google ScholarDigital Library
- A. Madhavan, T. Sherwood, and D. B. Strukov, "High-throughput Pattern Matching with CMOL FPGA Circuits: Case for Logic-in-memory Computing," Transaction on VLSI Systems, vol. 26, pp. 2759--2772, 2018.Google ScholarCross Ref
- I. Roy, A. Srivastava, M. Nourian, M. Becchi and S. Aluru, "High Performance Pattern Matching using the Automata Processor," International Parallel and Distributed Processing Symposium (IPDPS), Chicago, 2016, pp. 1123--1132.Google Scholar
- G. Erdem and A. Carus, "Multi-pipelined and Memory-efficient Packet Classification Engines on FPGAs," Computer Communications, vol. 67, pp. 75--91, 2015.Google ScholarDigital Library
- D. Rozenblum, "Understanding Intrusion Detection Systems," SANS Institute--- Information Security Reading Room, (2001), [Online] available at: https://www.sans.org/reading-room/whitepapers/detection/understanding-intrusion-detection-systems-337.Google Scholar
- Host Based Intrusion Detection System (HIDS), Last Accessed (2019), [Online] available at: https://www.techopedia.com/definition/12826/host-based-intrusion-detection-system-hids.Google Scholar
- P. P. loulianou, V. vassilakis and I. D. Moscholios, "A Signature Based Intrusion Detection Systems for the Internet of Things, Information and Communication Technology Forum (ICTF), Graz, 2018, pp. 11--13.Google Scholar
- Snort 3.0Beta, Open Source IDS, Last Accessed (2019), [Online] available at: https//www.snort.org/.Google Scholar
- Suricata Tutorial, Last Accessed (2019), [Online] available at: https://resources.sei.cmu.edu/asset_files/Presentation/2016_017_001_449890.pdf.Google Scholar
- The Bro Network Security Monitor, Open Source IDS, Last Accessed (2019), [Online] available at: https://www.zeek.org/bro-cybersecurity-summit-7Google Scholar
- M. Imran, M. Rashid, A. R. Jafri and M. N. Islam, "ACryp-Proc: Flexible Asymmetric Crypto Processor for Point Multiplication", IEEE Access, vol. 6, pp. 22778--22793, 2018.Google ScholarCross Ref
- M. Rashid, M. Imran, A. R. Jafri, "Comparative analysis of flexible cryptographic implementations", In Proc. of 11th International Symposium on Reconfigurable Communication-centric Systems-on-Chip (ReCoSoC), Tallinn, Estonia, 2016.Google Scholar
- M. Rashid, M. Imran, A. R. Jafri, Turki Al-Somani, "Flexible Architectures for Cryptographic Algorithms - A Systematic Literature Review", Journal of Circuits, Systems and Computers, vol. 28, no. 3, 2019.Google ScholarCross Ref
- A. Amjed, F. Azam, W. H. Butt, M. W. Anwar and M. Rashid, "Event-driven Process Chain (EPC) for Modeling and Verification of Business Requirements - A Systematic Literature Review", IEEE Access, Vol. 6, pp. 9027--9048, 2018.Google ScholarCross Ref
- M. Rashid, M. W. Anwar, A. M. Khan, "Towards the Tools Selection in Model Based System Engineering for Embedded Systems - A Systematic Literature Review", Journal of Systems and Software, vol. 106, pp. 150--163, 2015.Google ScholarDigital Library
Index Terms
- Exploration of Hardware Architectures for String Matching Algorithms in Network Intrusion Detection Systems
Recommendations
Hardware implementation for network intrusion detection rules with regular expression support
SAC '08: Proceedings of the 2008 ACM symposium on Applied computingSignature-based network intrusion detection systems (NIDSs), such as Snort and Bro, rely on a rule database that describes traffic patterns for known attacks. They examine each packets flowing through a network segment and report suspicious packets to ...
Configurable string matching hardware for speeding up intrusion detection
Special issue: Workshop on architectural support for security and anti-virus (WASSA)Signature-based Intrusion Detection Systems (IDSs) monitor network traffic for security threats by scanning packet payloads for attack signatures. IDSs have to run at wire speed and need to be configurable to protect against emerging attacks. In this ...
Multiprocessing scalable string matching algorithm for network intrusion detection system
With high increasing speed of today's computer networks which affects the performance of security issues in terms of detection speed, the traditional security tools such as firewall is insufficient to protect the networks from external threads. Intrusion ...
Comments