Browse > Article

A High-speed Packet Filtering System Architecture in Signature-based Network Intrusion Prevention  

Kim, Dae-Young (홍익대학교 컴퓨터공학과)
Kim, Sun-Il (홍익대학교 컴퓨터공학과)
Lee, Jun-Yong (홍익대학교 컴퓨터공학과)
Publication Information
Journal of KIISE:Computer Systems and Theory / v.34, no.2, 2007 , pp. 73-83 More about this Journal
Abstract
In network intrusion prevention, attack packets are detected and filtered out based on their attack signatures. Pattern matching is extensively used to find attack signatures and the most time-consuming execution part of Network Intrusion Prevention Systems(NIPS). Pattern matching is usually accelerated by hardware and should be performed at wire speed in NIPS. However, that alone is not good enough. First, pattern matching hardware should be able to generate sufficient pattern match information including the pattern index number and the location of the match found at wire speed. Second, it should support pattern grouping to reduce unnecessary pattern matches. Third, it should always have a constant worst-case performance even if the number of patterns is increased. Finally it should be able to update patterns in a few minutes or seconds without stopping its operations, We propose a system architecture to meet the above requirement. The system architecture can process multiple pattern characters in parallel and employs a pipeline architecture to achieve high speed. Using Xilinx FPGA simulation, we show that the new system stales well to achieve a high speed oner 10Gbps and satisfies all of the above requirements.
Keywords
Network intrusion prevention; Pattern matching; Embedded system architecture; FPGA;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Xinyou Zhang, et al. Intrusion Prevention System Design. The Fourth International Conference on Computer and Information Technology. Sept 2004
2 Reetinder Sidhu, and Viktor K. Prasanna. Fast Regular Expression Matching using FPGAs. Proceedings of The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, May 2001
3 Young H. Cho, et al. Specialized Hardware for Deep Network Packet Filtering. Proceedings of the International Conference on Field Programmable Logic and Applications, September 2002
4 Ioannis Sourdis, and Dionisios Pnevmatikatos. Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System. Proceedings of the 13th International Conference on Field Programmable Logic and Applications, September 2003
5 Young H. Cho, W. H. Mangione-Smith. Programmable Hardware for Deep Packet Filtering on a Large Signature Set. Workshop on Architectural Support for Security and Anti-Virus. 2004
6 Ioannis Sourdis, and Dionisios Pnevmatikatos. Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. Proceedings of the Twelfth Annual IEEE Symposium on Field Programmable Custom Computing Machines April 2004
7 Code Red worm exploiting buffer overflow in IIS indexing service DLL. CERT Advisory CA -2001-19, Jan 2002
8 S. Antonatos, K. G. Anagnostakis, and E. P. Markatos. Generating realistic workloads for network intrusion detection systems. ACM Workshop on Software and Performance, 2004
9 N. Tuck, T. Sherwood, B. Calder, G. Varghese: Deterministic Memory- Efficient StringMatching Algorithms for Intrusion Detection. IEEE INFOCOM 2004
10 Maya Gokhale, et al. Granidt: Towards Gigabit Rate Network Intrusion Detection Technology. Proceedings of the Field-Programmable Logic and Applications, 12th International Conference, September 2002
11 D. Moore, et al. Internet Quarantine: Requirements for Containing Self-Propagating Code. Proceedings of the IEEE INFOCOM Conference, April 2003
12 Snort, urI http://www.snort.org/
13 B. L. Hutchings, and R. Franklin, D. Carver. Assisting Network Intrusion Detection with Reconfigurable Hardware. Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, September 2002
14 Rong- Tai Liu, et al. A Fast String Matching Algorithm for Network Processor Based IntrusionDetection System. ACM Transaction on Embedded Computing Systems, Vol. 3, No.3, August 2004
15 Young H. Cho, W. H. Mangione-Smith. Deep Packet Filter with Dedicated Logic and Read Only Memories. Proceedings of the 12th IEEE Symposium of Field-Programmable Custom Computing Machines, 2004
16 James Moscola, et al. Implementation of a Content-Scanning Module for an Internet Firewall. Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines April, 2003
17 A. V. Aho, M. J. Corasick: E_cient String Matching: An Aid to Bibliographic Search. Communications of the ACM 18 (1975)
18 David E. Taylor. Survey and Taxonomy of Packet Classification Techiniques. ACM Computing Survey, Vol 37, 2005
19 S. Dharmapurikar, et al. Deep Packet Inspection Using Parallel Bloom Filters. Symposium on High Performance Interconnects, Aug. 2003
20 Xilinx, Inc. url http://www.xilinx.com/
21 MS-SQL Server Worm. CERT Advisory CA2003-04, Jan 2003
22 Lin Tan, Timothy Sherwood. A High Throughput String Matching Architecture for Intrusion Detection and Prevention. ISCA June 2005
23 Ricardo A. Baeza-Yates, and Gaston H. Gonnet. A New Approach to Text Searching. In the Proceedings of the Communications of the ACM, October 1992
24 Sunil Kim. Pattern Matching Acceleration for Network Intrusion Detection Systems. SAMOS V. July 2005