Browse > Article
http://dx.doi.org/10.3745/KIPSTA.2005.12A.2.087

A High-speed Pattern Matching Acceleration System for Network Intrusion Prevention Systems  

Kim Sunil (홍익대학교 정보컴퓨터공학부)
Publication Information
The KIPS Transactions:PartA / v.12A, no.2, 2005 , pp. 87-94 More about this Journal
Abstract
Pattern matching is one of critical parts of Network Intrusion Prevention Systems (NIPS) and computationally intensive. To handle a large number of attack signature fattens increasing everyday, a network intrusion prevention system requires a multi pattern matching method that can meet the line speed of packet transfer. In this paper, we analyze Snort, a widely used open source network intrusion prevention/detection system, and its pattern matching characteristics. A multi pattern matching method for NIPS should efficiently handle a large number of patterns with a wide range of pattern lengths and case insensitive patterns matches. It should also be able to process multiple input characters in parallel. We propose a multi pattern matching hardware accelerator based on Shift-OR pattern matching algorithm. We evaluate the performance of the pattern matching accelerator under various assumptions. The performance evaluation shows that the pattern matching accelerator can be more than 80 times faster than the fastest software multi-pattern matching method used in Snort.
Keywords
네트워크 침입방지 시스템;패턴 매칭;컴퓨터 구조;
Citations & Related Records
연도 인용수 순위
  • Reference
1 R. Sidhu, and V. K. Prasanna, 'Fast Regular Expression Matching using FPGAs', The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, May 2001
2 E. P. Markatos, S. Antonatos, M. Polychronakis, and K. G. Anagnostakis, 'Exclusion-based Signature Matching for Intrusion Detection', The IASTED International Conference on Communications and Computer Networks, Oct. 2002
3 C. J. Coit, S. Staniford, and J. McAlerney, 'Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort', The 2nd DARPA Information Survivability Conference and Exposition (DISCEX II), June 2002   DOI
4 N. Tuck, T. Sherwood, B. Calder, and G. Varghese, 'Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection', The 23rd Conference of the IEEE Communications Society (INFOCOM'04), March 2004
5 X. Zhang, C. Li, and W. Zheng, 'Intrusion Prevention System Design', Proceedings of the Fourth International Conference on Computer and Information Technology, September, 2004   DOI
6 Snort. http://www.snort.org/
7 S. Antonatos, K. G. Anagnostakis, and E. P. Markatos, 'Generating realistic workloads for network intrusion detection systems', ACM Workshop on Software and Performance, 2004
8 정보흠, 김정녀, 손승원, '침입방지시스템 기술 현황 및 전망,' 주간기술동향 통권 1098호, 2003. 6. 3
9 Code Red worm exploiting buffer overflow in IIS indexing service DLL. CERT Advisory CA-2001-19, Jan 2002
10 MS-SQL Server Worm. CERT Advisory CA-2003-04, Jan 2003
11 Y. H. Cho, S. Navab, and W. H. Mangione-Smith, 'Specialized Hardware for Deep Network Packet Filtering', The International Conference on Field Programmable Logic and Applications, September 2002
12 C. Cowan, S. Arnold, S. Beattie, C. Wright, and J. Viega, 'Defcon Capture the Flag: Defending Vulnerable Code from Intense Attack', The DARPA DISCEX III Conference, April 2003
13 IA-32 Intel$\circledR$ Architecture Software Developer's Manual, Volume 3: System Programming Guide, Intel, 2004
14 A. V. Aho and M.J. Corasick, 'Efficient string matching : An aid to bibliographic search', Communications of the ACM, 18(6):333-340, 1975   DOI   ScienceOn
15 S. Naffziger, T. Grutkowksi, and B. Stackhouse, 'The Implementation of a 2-core Multi-Threaded Itanium Family Processor', IEEE International Solid-State Circuits Conference, 2005   DOI
16 Ricardo A. Baeza-Yates, and Gaston H. Gonnet, 'A New Approach to Text Searching', The Communications of the ACM, October 1992   DOI
17 C. KUN, S. Quan, and A. Mason, 'A Power-Optimized 64-bit Priority Encoder Utilizing Parallel Priority Look-Ahead', IEEE Int. Symposium on Circuits and Systems (ISCAS), May 2004
18 Capture the RootFu!, The Shmoo Group, url http://www.shmoo.com/cctf/
19 I. Sourdis and D. Pnevmatikatos, 'Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching', The 12th Annual IEEE Symposium on Field Programmable Custom Computing Machines, April 2004   DOI
20 S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood, 'Deep Packet Inspection Using Parallel Bloom Filters', The International Symposium on High Performance Interconnects (HotI), Aug. 2003
21 I. Sourdis and D. Pnevmatikatos, 'Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System', The 13th International Conference on Field Programmable Logic and Applications, September 2003
22 J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos, 'Implementation of a Content-Scanning Module for an Internet Firewall', The 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, April 2003   DOI
23 Sun Wu and Udi Manber, 'AGREP - A Fast Approximate Pattern-Matching Tool', The 1992 Winter USENIX Conference, January, 1992
24 M. Gokhale, D. Dubois, A. Dubois, M. Boorman, S. Poole, and V. Hogsett, 'Granidt: Towards Gigabit Rate Network Intrusion Detection Technology', The 12th International Conference on Field-Programmable Logic and Applications, September 2002
25 B. L. Hutchings, R. Franklin, and D. Carver, 'Assisting Network Intrusion Detection with Reconfigurable Hardware', The 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, September 2002   DOI