Browse > Article
http://dx.doi.org/10.7840/kics.2015.40.11.2169

Design and Implementation of High-Speed Pattern Matcher Using Multi-Entry Simultaneous Comparator in Network Intrusion Detection System  

Jeon, Myung-Jae (Sogang University Department of Electronic Engineering)
Hwang, Sun-Young (Sogang University Department of Electronic Engineering)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.40, no.11, 2015 , pp. 2169-2177 More about this Journal
Abstract
This paper proposes a new pattern matching module to overcome the increased runtime of previous algorithm using RAM, which was designed to overcome cost limitation of hash-based algorithm using CAM (Content Addressable Memory). By adopting Merge FSM algorithm to reduce the number of state, the proposed module contains state block and entry block to use in RAM. In the proposed module, one input string is compared with multiple entry strings simultaneously using entry block. The effectiveness of the proposed pattern matching unit is verified by executing Snort 2.9 rule set. Experimental results show that the number of memory reads has decreased by 15.8%, throughput has increased by 47.1%, while memory usage has increased by 2.6%, when compared to previous methods.
Keywords
NIDS; Pattern Matching; RAM; FPGA;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 M. Fisk and G. Varghese, An analysis of fast string matching applied to content-based forwarding and intrusion detection, Technical Report, CS2001-0670, University of California, San Diego, 2002.
2 J. Choi, J. Park, and M. Kim, "Processing speed improvement of HTTP traffic classification based on hierarchical structure of signature," J. KICS, vol. 39, no. 4, pp. 191-199, Apr. 2014.
3 K. Shim and S. Yoon, "Automatic generation of snort content rule for network traffic analysis," J. KICS, vol. 40, no. 4, pp. 666-677, Apr. 2015.   DOI
4 Retrieved Sept. 3, 2015, from http://www.snort.org
5 T. Jack, "Intrusion detection using open source tools," Informatica Economica J., vol. 12, no. 2, pp. 75-79, 2008.
6 Z. Baker and V. Prasanna, "High-throughput linked-pattern matching for intrusion detection systems," in Proc. Symp. ANCS, pp. 193-202, Princeton, NJ, Oct. 2005.
7 C. Clark and D. Schimmel, "Scalable pattern matching for high speed networks," in Proc. 12th Ann. IEEE Symp. FCCM, pp. 249-257, Napa, CA, Apr. 2004.
8 B. Hutchings, R. Franklin, and D. Carver, "Assisting network intrusion detection with reconfigurable hardware," in Proc. 10th Annu. IEEE Symp. FCCM, pp. 111-120, Napa, CA, Apr. 2002.
9 M. Alicheery, M. Muthuprasanna, and V. Kumar, "High speed pattern matching for network IDS/IPS," in Proc. IEEE ICNP, pp. 187-196, Santa Barbara, CA, Nov. 2006.
10 Y. H. Cho and W. H. Mangione-Smith, "Fast reconfiguring deep packet filter for 1+gigabit network," in Proc. 13th Ann. IEEE Symp. FCCM, pp. 215-224, Napa, CA, Apr. 2005.
11 Y. H. Cho and W. H. Mangione-Smith, "A pattern matching co-processor for network security," in Proc. 42nd IEEE/ACM Des. Autom. Conf., pp. 234-239, Anaheim, CA, Jun. 2005.
12 C. Lin, "Efficient pattern matching algorithm for memory architecture," IEEE Trans. VLSI Syst., vol. 19, no. 1, pp. 1-9, Jan. 2011.   DOI
13 Y. Yoon and S. Hwang, "Design and implementation of high-speed pattern matcher in network intrusion detection system," J. KICS, vol. 33, no. 11, pp. 1020-1029, Nov. 2008.
14 C. Jasmine and T. Latha, "Finite automata in pattern matching for hardware based NIDS applications - A tutorial and survey," Progress in Sci. Eng. Res. J., vol. 2, pp. 351-360. Apr. 2014.
15 K. Pagiamtzis and A. Sheikholeslami, "Content addressable memory(CAM) circuits and architectures - A tutorial and survey," IEEE J. Solid-state Cir., vol. 41, no. 3, Mar. 2006.
16 A. Aho and M. Corasick, "Efficient string matching: An aid to bibliographic search," Commun. ACM, vol. 18, pp. 333-340, Jun. 1975.   DOI
17 I. Sourdis and D. Pnevmatikatos, "Pre-decoded CAMs for efficient and high-speed NIDS pattern matching," in Proc. 12th Annu. IEEE Symp. Field Programmable Custom Comput. Machines, pp. 258-217, Napa, CA, Apr. 2004.
18 S. Dharmapurikar and J. Lockwood, "Fast and scalable pattern matching for content filtering," in Proc. Symp. Architecture for Netw. Commun. Syst., pp. 183-192, Oct. 2005.
19 C. Lin, "Accelerating string matching using multi-threaded algorithm on GPU," in Proc. 2010 IEEE Global Telecommun. Conf., pp. 1-5, Miami, FL, Dec. 2010.
20 C. Lin, "Memory-efficient pattern matching architectures using perfect hashing on graphic processing units" in Proc. IEEE INFOCOM, pp. 1978-1986, Orlando, FL, Mar. 2012.
21 F. Yu, R. Katz, and T. Lakshman, "Gigabit rate packet pattern matching using TCAM," in Proc. 12th IEEE Int. Conf. Netw. Protocols, pp. 174-173, Berlin, Germany, Oct. 2004.
22 L. Ulf, S. Richard, and E. Warnicke, Wireshark User's Guide(2014), Retrieved Nov., 6, 2015, from http://www.wireshark.org