Browse > Article

A Hardware Architecture of Multibyte-based Regular Expression Pattern Matching for NIDS  

Yun, Sang-Kyun (연세대학교 컴퓨터정보통신공학부)
Lee, Kyu-Hee (연세대학교 컴퓨터정보통신공학부)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.34, no.1B, 2009 , pp. 47-55 More about this Journal
Abstract
In recent network intrusion detection systems, regular expressions are used to represent malicious packets. In order to process incoming packets through high speed networks in real time, we should perform hardware-based pattern matching using the configurable device such as FPGAs. However, operating speed of FPGAs is slower than giga-bit speed network and so, multi-byte processing per clock cycle may be needed. In this paper, we propose a hardware architecture of multi-byte based regular expression pattern matching and implement the pattern matching circuit generator. The throughput improvements in four-byte based pattern matching circuit synthesized in FPGA for several Snort rules are $2.62{\sim}3.4$ times.
Keywords
Pattern matching hardware; Intrusion detection; NIDS; Regular expression;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Bros Intrusion Detection System, http://bro-ids.org
2 R. Sidhu and V.K. Prasanna, 'Fast Regular Expression Matching using FPGAs', IEEE Symp. on Field-Programmable Custom Computing Machines, 2001, pp.227-238
3 C.-H. Lin, C.-T. Huang, C.-P. Jiang, and S.-C. Chang, 'Optimization of regular expression pattern matching circuits on FPGA', Conf. on Design, Automation and Test in Europe (DATE06), 2006, pp.12-17
4 Bleeding Edge Threats, http://bleedingthreats.net
5 B.C. Brodie, D.E. Taylor, and R.K. Cytron, 'A scalable architecture for high-throughput regular-expression pattern matching', Comput. Architecture News, Vol.34, No.2, 2006, pp.191-202   DOI
6 C.R. Clark and D.E. Schimmel, 'Scalable parallel pattern matching on high speed networks', IEEE Symp. on Field-Programmable Custom Computing Machines, 2004. pp.249-257
7 Snort web site, http://www.snort.org
8 J. Lee, S.H. Hwang, N. Park, S.W. Lee, S. Jun, and Y.S. Kim, 'A high performance NIDS using FPGA-based regular expression matching', Symp. Applied Computing (SAC2007), 2007, pp.1187-1191
9 C.-H. Lin, C.-T. Huang, C.-P. Jiang, and S.-C. Chang, "Optimization of pattern matching circuits for regular expression on FPGA", IEEE Trans. VLSI Systems, Vol.15, No.12 Dec. 2007, pp.1303-1310   DOI   ScienceOn
10 I. Sourdis and D. Pnevmatikatos, 'Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching', IEEE Symp. on Field- Programmable Custom Computing Machines, 2004, pp.258-267
11 PCRE-Perl Compatible Regular Expressions, http://www.pcre.org
12 B. L. Hutchings, R. Franklin, and D. Carver, 'Assisting network intrusion detection with reconfigurable hardware', IEEE Symp. on Field-Programmable Custom Computing Machines, 2002, pp.111-120
13 J. Bispo, I. Sourdis, J. Cardoso, and S. Vassiliadis, 'Regular expression matching for reconfigurable packet inspection', IEEE Conf. Field Programmable Tech. (FPT06), 2006, pp.119-126