The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

The Study on matrix based high performance pattern matching by independence partial match

독립 부분 매칭에 의한 행렬 기반 고성능 패턴 매칭 방법에 관한 연구

  • 정우석 (한국전자통신연구원 USN응용기술연구팀) ;
  • 권택근 (충남대학교 전기 정보통신공학부)
  • Published : 2009.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we propose a matrix based real-time pattern matching method, called MDPI, for real-time intrusion detection on several Gbps network traffic. Particularly, in order to minimize a kind of overhead caused by buffering, reordering, and reassembling under the circumstance where the incoming packet sequence is disrupted, MDPI adopts independent partial matching in the case dealing with pattern matching matrix. Consequently, we achieved the performance improvement of the amount of 61% and 50% with respect to TCAM method efficiency through several experiments where the average length of the Snort rule set was maintained as 9 bytes, and w=4 bytes and w=8bytes were assigned, respectively, Moreover, we observed the pattern scan speed of MDPI was 10.941Gbps and the consumption of hardware resource was 5.79LC/Char in the pattern classification of MDPI. This means that MDPI provides the optimal performance compared to hardware complexity. Therefore, by decreasing the hardware cost came from the increased TCAM memory efficiency, MDPI is proven the cost effective high performance intrusion detection technique.

본 논문에서는 수 Gbps 네트워크 트래픽에서 실시간 침입 탐지를 위한 패턴 매칭 방법인 MDPI를 제안한다. MDPI는 패킷 전달 순서가 유지되지 않는 경우 버퍼링, 재배열 및 재조립에서 발생하는 오버헤드 문제를 해결하기 위해 독립 부분 매칭에 의한 행렬 기반의 패턴 매칭 방법이다. MDPI는 SNORT 룰셋(Rule Set)의 평균 길이인 17바이트의 경우 w=4 바이트에서는 61%, w=8 바이트인 경우는 50%의 TCAM 메모리 효율이 증가되었다. 또한 MDPI는 10.941Gbps 패턴 검사 속도와 5.79 LC/Char 하드웨어 자원을 소모함으로써 하드웨어 복잡성 대비성능 측면에서 최적화된 결과를 얻었다. 따라서 본 논문에서는 하드웨어 비용 절감에 의해 가격 효율적인 고성능 침입 탐지 기술을 제안한다.

Keywords

References

  1. J. C. Bennet, C. Partidge, N. Shectman, 'Packet Reordering is not pathological network behavior', IEEE/ACM Transaction on Networking, Vol. 7, Issue 3, pp 789-798, 1999 https://doi.org/10.1109/90.811445
  2. V. Paxon, 'End-to-end Internet Packet Dynamics', IEEE/ACM Transaction on Networking, Vol. 7, Issue 3, pp. 277-293, 1999 https://doi.org/10.1109/90.779192
  3. R. Sidhu, V. K. Prasanna, 'Fast regular expression matching using', FCCM 2001, 2001
  4. J. W. Lockwood, 'An open platform for development of network processing modules in reconfigurable hardware', IEC DesignCon 2001, 2001
  5. M. Fisk, G. Varghese, 'An analysis of fast string matching applied to content-based forwarding and intrusion detection', Technical Report CS2001-0670, Univ. of California San Diego, 2002
  6. R. Franklin, D. Carver, B. Huchings, 'Assisting network intrusion detection with reconfigurable hardware', FCCM 2002, 2002
  7. Y. H. Cho, S. Navab, W. H. Magione-smith, 'Specialized hardware for deep network packet filtering', FPL 2002, LNCS 2438, pp. 452-461, 2002
  8. S. Jaiswal, G. Iannaccone, C. Diot, J. Kurose, D. Towsley, 'Measurement and Classification of Out-of-Sequence Packets in a Tier-1 IP Backbone', Sprint ATL Technical Report, 2002
  9. I. Sourdis, D. Pnevmatikatos, 'Fast, large-scale string match for a 10Gbps FPGA-based network intrusion detection system', FPL 2003, 2003
  10. S. Dharmapurikar, 'Implementation of a Deep Packet Inspection Circuit using Parallel Bloom Filters in Reconfigurable Hardware', In Hot Interconnects, 2003
  11. Y. Wang, G. Lu, X. Li, 'A Study of Internet Packet Reordering', ICOIN 2004 ,LNCS 3090, pp. 350-359, 2004
  12. F. Yu, R. H. Katz, T. V. Laskhman, 'Gigabit Rate Packet Pattern Matching with TCAM', UCB technical report, UCB/CSD-04-1341, 2004
  13. R. Liu, C. Kao, H. Wu, M. Shin, N. Huang, 'FTSE: The FNP-Like TCAM searching engine', ISCC 2005, 2005
  14. N. Desai, 'Increasing performance in high speed NIDS', http://www.linuxsecurity.com/article
  15. Snort, www.snort.org