Browse > Article
http://dx.doi.org/10.9708/jksci.2012.17.4.011

The Design and Implementation of Network Intrusion Detection System Hardware on FPGA  

Kim, Taek-Hun (Dept. of Computer and Telecommunication Engineering, Yonsei University)
Yun, Sang-Kyun (Dept. of Computer and Telecommunication Engineering, Yonsei University)
Publication Information
Journal of the Korea Society of Computer and Information / v.17, no.4, 2012 , pp. 11-18 More about this Journal
Abstract
Deep packet inspection which perform pattern matching to search for malicious patterns in the packet is most computationally intensive task. Hardware-based pattern matching is required for real-time packet inspection in high-speed network. In this paper, we have designed and implemented network intrusion detection hardware as a Microblaze-based SoC using Virtex-6 FPGA, which capture the network input packet, perform hardware-based pattern matching for patterns in the Snort rule, and provide the matching result to the software. We verify the operation of the implemented system using traffic generator and real network traffic. The implemented hardware can be used in network intrusion detection system operated in wire-speed.
Keywords
Instrusion Detection; FPGA; Pattern Matching Hardware;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 PCRE - Perl Compatible Regular Expressions, http://www.pcre.org
2 R. Sidhu and V.K. Prasanna, "Fast Regular Expression Matching using FPGAs," IEEE Symp. Field- Programmable Custom Computing Machines, (FCCM'01), pp. 227-238, 2001.
3 C. R. Clark and D. E. Schimmel, "Scalable Parallel Pattern Matching on High Speed Networks," IEEE Symp. Field-Programmable Custom Computing Machines (FCCM'04), pp. 249-257, 2004.
4 C.-H. Lin, C.-T. Huang, C.-P. Jiang, and S.-C. Chang, "Optimization of Pattern Matching Circuits for Regular Expression on FPGA," IEEE Trans. VLSI Systems, Vol.15, No.12, pp.1303-1310, Dec. 2007.   DOI   ScienceOn
5 S.K. Yun and K.H. Lee, "A Hardware Architecture of Multibyte-based Regular Expression Pattern Matching for NIDS," Journal of Korea Information and Communicaitons Society(KICS), Vol.34, No.1B, pp.47-55, Jan. 2009.
6 S.K. Yun and K.H. Lee, "A Hardware Architecture of Regular Expression Pattern Matching for Deep Packet Inspection," Journal of Korea Society of Computer and Information(KSCI), Vol.16, No.5, pp.13-22, May 2011.   DOI
7 T. Katashita, Y. Yamaguchi, A. Maeda and K. Toda, "FPGA-Based Intrusion Detection System for 10 Gigabit Ethernet," IEICE Trans. Info. & Sys, Vol. E90-D, No.12, pp.1923-1931, Dec. 2007.   DOI
8 Xilinx ML605 Evaluation Kit, http://www.xilinx.com/products/devkits/EK-V6-ML605-G.htm
9 Xilinx PLB IPIF IP CORE Datasheet, http://www.xilinx.com/support/documentation/ip_documentation/ plb_ipif.pdf
10 Snort web site, http://www.snort.org
11 Bro web site, http://bro-ids.org