The KIPS Transactions:PartA (정보처리학회논문지A)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A High-speed Pattern Matching Acceleration System for Network Intrusion Prevention Systems

네트워크 침입방지 시스템을 위한 고속 패턴 매칭 가속 시스템

  • 김선일 (홍익대학교 정보컴퓨터공학부)
  • Published : 2005.04.01
Download PDF
⟨ Previous Next ⟩

Abstract

Pattern matching is one of critical parts of Network Intrusion Prevention Systems (NIPS) and computationally intensive. To handle a large number of attack signature fattens increasing everyday, a network intrusion prevention system requires a multi pattern matching method that can meet the line speed of packet transfer. In this paper, we analyze Snort, a widely used open source network intrusion prevention/detection system, and its pattern matching characteristics. A multi pattern matching method for NIPS should efficiently handle a large number of patterns with a wide range of pattern lengths and case insensitive patterns matches. It should also be able to process multiple input characters in parallel. We propose a multi pattern matching hardware accelerator based on Shift-OR pattern matching algorithm. We evaluate the performance of the pattern matching accelerator under various assumptions. The performance evaluation shows that the pattern matching accelerator can be more than 80 times faster than the fastest software multi-pattern matching method used in Snort.

패턴 매칭(Pattern Matching)은 네트워크 침입방지 시스템에서 가장 중요한 부분의 하나며 많은 연산을 필요로 한다. 날로 증가되는 많은 수의 공격 패턴을 다루기 위해, 네트워크 침입방지 시스템에서는 회선 속도로 들어오는 패킷을 처리 할 수 있는 다중 패턴 매칭 방법이 필수적이다. 본 논문에서는 현재 많이 사용되고있는 네트워크 침입방지 및 탐지 시스템인 Snort와 이것의 패턴 매칭 특성을 분석한다. 침입방지 시스템을 위한 패턴 매칭 방법은 다양한 길이를 갖는 많은 수의 패턴과 대소문자 구분 없는 패턴 매칭을 효과적으로 다룰 수 있어야 한다. 또한 여러 개의 입력 문자들을 동시에 처리 할 수 있어야 한다. 본 논문에서 Shift-OR 패턴 매칭 알고리즘에 기반을 둔 다중 패턴 매칭 하드웨어 가속기를 제시하고 여러 가지 가정 하에서 성능 측정을 하였다. 성능 측정에 따르면 제시된 하드웨어 가속기는 현재 Snort에서 사용되는 가장 빠른 소프트웨어 다중 패턴 매칭 보다 80배 이상 빠를 수 있다.

Keywords

References

  1. Code Red worm exploiting buffer overflow in IIS indexing service DLL. CERT Advisory CA-2001-19, Jan 2002
  2. MS-SQL Server Worm. CERT Advisory CA-2003-04, Jan 2003
  3. 정보흠, 김정녀, 손승원, '침입방지시스템 기술 현황 및 전망,' 주간기술동향 통권 1098호, 2003. 6. 3
  4. X. Zhang, C. Li, and W. Zheng, 'Intrusion Prevention System Design', Proceedings of the Fourth International Conference on Computer and Information Technology, September, 2004 https://doi.org/10.1109/CIT.2004.1357226
  5. Snort. http://www.snort.org/
  6. S. Antonatos, K. G. Anagnostakis, and E. P. Markatos, 'Generating realistic workloads for network intrusion detection systems', ACM Workshop on Software and Performance, 2004
  7. E. P. Markatos, S. Antonatos, M. Polychronakis, and K. G. Anagnostakis, 'Exclusion-based Signature Matching for Intrusion Detection', The IASTED International Conference on Communications and Computer Networks, Oct. 2002
  8. C. J. Coit, S. Staniford, and J. McAlerney, 'Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort', The 2nd DARPA Information Survivability Conference and Exposition (DISCEX II), June 2002 https://doi.org/10.1109/DISCEX.2001.932231
  9. N. Tuck, T. Sherwood, B. Calder, and G. Varghese, 'Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection', The 23rd Conference of the IEEE Communications Society (INFOCOM'04), March 2004
  10. A. V. Aho and M.J. Corasick, 'Efficient string matching : An aid to bibliographic search', Communications of the ACM, 18(6):333-340, 1975 https://doi.org/10.1145/360825.360855
  11. Sun Wu and Udi Manber, 'AGREP - A Fast Approximate Pattern-Matching Tool', The 1992 Winter USENIX Conference, January, 1992
  12. R. Sidhu, and V. K. Prasanna, 'Fast Regular Expression Matching using FPGAs', The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, May 2001
  13. B. L. Hutchings, R. Franklin, and D. Carver, 'Assisting Network Intrusion Detection with Reconfigurable Hardware', The 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, September 2002 https://doi.org/10.1109/FPGA.2002.1106666
  14. J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos, 'Implementation of a Content-Scanning Module for an Internet Firewall', The 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, April 2003 https://doi.org/10.1109/FPGA.2003.1227239
  15. M. Gokhale, D. Dubois, A. Dubois, M. Boorman, S. Poole, and V. Hogsett, 'Granidt: Towards Gigabit Rate Network Intrusion Detection Technology', The 12th International Conference on Field-Programmable Logic and Applications, September 2002
  16. Y. H. Cho, S. Navab, and W. H. Mangione-Smith, 'Specialized Hardware for Deep Network Packet Filtering', The International Conference on Field Programmable Logic and Applications, September 2002
  17. I. Sourdis and D. Pnevmatikatos, 'Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System', The 13th International Conference on Field Programmable Logic and Applications, September 2003
  18. I. Sourdis and D. Pnevmatikatos, 'Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching', The 12th Annual IEEE Symposium on Field Programmable Custom Computing Machines, April 2004 https://doi.org/10.1109/FCCM.2004.46
  19. S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood, 'Deep Packet Inspection Using Parallel Bloom Filters', The International Symposium on High Performance Interconnects (HotI), Aug. 2003
  20. Ricardo A. Baeza-Yates, and Gaston H. Gonnet, 'A New Approach to Text Searching', The Communications of the ACM, October 1992 https://doi.org/10.1145/135239.135243
  21. C. KUN, S. Quan, and A. Mason, 'A Power-Optimized 64-bit Priority Encoder Utilizing Parallel Priority Look-Ahead', IEEE Int. Symposium on Circuits and Systems (ISCAS), May 2004
  22. C. Cowan, S. Arnold, S. Beattie, C. Wright, and J. Viega, 'Defcon Capture the Flag: Defending Vulnerable Code from Intense Attack', The DARPA DISCEX III Conference, April 2003
  23. Capture the RootFu!, The Shmoo Group, url http://www.shmoo.com/cctf/
  24. IA-32 Intel$\circledR$ Architecture Software Developer's Manual, Volume 3: System Programming Guide, Intel, 2004
  25. S. Naffziger, T. Grutkowksi, and B. Stackhouse, 'The Implementation of a 2-core Multi-Threaded Itanium Family Processor', IEEE International Solid-State Circuits Conference, 2005 https://doi.org/10.1109/ISSCC.2005.1493929