• Journal of the Korea Society of Computer and Information
• /
• v.17 no.4
• /
• pp.11-18
• /
• 2012

Deep packet inspection which perform pattern matching to search for malicious patterns in the packet is most computationally intensive task. Hardware-based pattern matching is required for real-time packet inspection in high-speed network. In this paper, we have designed and implemented network intrusion detection hardware as a Microblaze-based SoC using Virtex-6 FPGA, which capture the network input packet, perform hardware-based pattern matching for patterns in the Snort rule, and provide the matching result to the software. We verify the operation of the implemented system using traffic generator and real network traffic. The implemented hardware can be used in network intrusion detection system operated in wire-speed.

• Journal of the Korea Society of Computer and Information
• /
• v.16 no.5
• /
• pp.13-22
• /
• 2011

Network Intrusion Detection Systems use regular expression to represent malicious packets and hardware-based pattern matching is required for fast deep packet inspection. Although hardware architectures for implementing constraint repetition operators such as {10} were recently proposed, they have some limitation. In this paper, we propose hardware architecture supporting constraint repetitions of general regular expression sub-patterns with lower logic complexity. The subpatterns supported by the proposed contraint repetition architecture include general regular expression patterns as well as a single character and fixed length patterns. With the proposed building block, we can implement more efficiently regular expression pattern matching hardwares.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.34 no.1B
• /
• pp.47-55
• /
• 2009

In recent network intrusion detection systems, regular expressions are used to represent malicious packets. In order to process incoming packets through high speed networks in real time, we should perform hardware-based pattern matching using the configurable device such as FPGAs. However, operating speed of FPGAs is slower than giga-bit speed network and so, multi-byte processing per clock cycle may be needed. In this paper, we propose a hardware architecture of multi-byte based regular expression pattern matching and implement the pattern matching circuit generator. The throughput improvements in four-byte based pattern matching circuit synthesized in FPGA for several Snort rules are $2.62{\sim}3.4$ times.

• The KIPS Transactions:PartA
• /
• v.12A no.2 s.92
• /
• pp.87-94
• /
• 2005

Pattern matching is one of critical parts of Network Intrusion Prevention Systems (NIPS) and computationally intensive. To handle a large number of attack signature fattens increasing everyday, a network intrusion prevention system requires a multi pattern matching method that can meet the line speed of packet transfer. In this paper, we analyze Snort, a widely used open source network intrusion prevention/detection system, and its pattern matching characteristics. A multi pattern matching method for NIPS should efficiently handle a large number of patterns with a wide range of pattern lengths and case insensitive patterns matches. It should also be able to process multiple input characters in parallel. We propose a multi pattern matching hardware accelerator based on Shift-OR pattern matching algorithm. We evaluate the performance of the pattern matching accelerator under various assumptions. The performance evaluation shows that the pattern matching accelerator can be more than 80 times faster than the fastest software multi-pattern matching method used in Snort.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.46 no.1
• /
• pp.88-95
• /
• 2009

This paper presents a traffic pattern matching hardware that can be used in high performance network applications. The presented hardware is designed for a contents security system which is to block various kinds of information drain or intrusion activities. The hardware consists of two parts: the header lookup and string pattern matching parts. For implementing the header lookup part in hardware, the TCAMs(ternary CAMs) are popularly used. Since the TCAM approach is inefficient in terms of the hardware and memory costs and the power consumption, however, we adopt and modify an alternative approach based on the comparator arrays and the HiCuts tree. Our implementation results, using Xilinx FPGA XC4VSX55, show that our design can reduce the usage of the FPGA slices by about 26%, and the Block RAM by about 58%. In the design of string pattern matching part, we design and use a hashing module based on cellular automata, which is hardware efficient and consumes less power by adaptively changing its configuration to reduce the collision rates.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.34 no.9B
• /
• pp.914-922
• /
• 2009

In this paper, we propose a matrix based real-time pattern matching method, called MDPI, for real-time intrusion detection on several Gbps network traffic. Particularly, in order to minimize a kind of overhead caused by buffering, reordering, and reassembling under the circumstance where the incoming packet sequence is disrupted, MDPI adopts independent partial matching in the case dealing with pattern matching matrix. Consequently, we achieved the performance improvement of the amount of 61% and 50% with respect to TCAM method efficiency through several experiments where the average length of the Snort rule set was maintained as 9 bytes, and w=4 bytes and w=8bytes were assigned, respectively, Moreover, we observed the pattern scan speed of MDPI was 10.941Gbps and the consumption of hardware resource was 5.79LC/Char in the pattern classification of MDPI. This means that MDPI provides the optimal performance compared to hardware complexity. Therefore, by decreasing the hardware cost came from the increased TCAM memory efficiency, MDPI is proven the cost effective high performance intrusion detection technique.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.10 no.1
• /
• pp.75-80
• /
• 2010

Noise handing is very important in voice recognition of vehicle environment. that has been studying about to hardware and software approach. hardware method that is noise filter circuit design, basically using Low-pass filter. it was shown a good result. and the side of software that has been developing about to algorithm for Noise canceler, NN(neural network), etc. in this paper we have analysis about to classified parameter pattern matting level for voice recognition on car noise environment that use of DTW(Dynamic Time Warping) which is applicable time series pattern recognition algorithm.

• Proceedings of the Korean Information Science Society Conference
• /
• 2005.11a
• /
• pp.886-888
• /
• 2005

Network Intrusion Detection System(NIDS)는 네트워크를 통해 들어오는 패킷들을 모니터링 하고 분석하여 내부 시스템에 유해한 내용을 담고 있는 패킷을 탐지 하는 시스템이다. 이 시스템은 네트워크의 안에서 돌아다니는 패킷을 놓치지 않고 분석할 수 있어야 하며, 예측 불허의 공격 방법들에 대해서는 새로운 법칙을 적용하여 방어할 수 있어야 한다. 본 연구에서 NDIS에 snort를 이용한 소프트웨어적인 패턴매칭을 FPGA를 이용하여 하드웨어적 패턴매칭으로 구현하였으며, 새로운 법칙에 따라서 유연하게 적응할 수 있도록 패턴매칭을 정규 표현식(Regular Expression)으로 나타내어 FPGA에 재구성할 수 있도록 하였다.

• Journal of KIISE:Computer Systems and Theory
• /
• v.34 no.2
• /
• pp.73-83
• /
• 2007

In network intrusion prevention, attack packets are detected and filtered out based on their attack signatures. Pattern matching is extensively used to find attack signatures and the most time-consuming execution part of Network Intrusion Prevention Systems(NIPS). Pattern matching is usually accelerated by hardware and should be performed at wire speed in NIPS. However, that alone is not good enough. First, pattern matching hardware should be able to generate sufficient pattern match information including the pattern index number and the location of the match found at wire speed. Second, it should support pattern grouping to reduce unnecessary pattern matches. Third, it should always have a constant worst-case performance even if the number of patterns is increased. Finally it should be able to update patterns in a few minutes or seconds without stopping its operations, We propose a system architecture to meet the above requirement. The system architecture can process multiple pattern characters in parallel and employs a pipeline architecture to achieve high speed. Using Xilinx FPGA simulation, we show that the new system stales well to achieve a high speed oner 10Gbps and satisfies all of the above requirements.

• Proceedings of the KIEE Conference
• /
• 2007.07a
• /
• pp.310-311
• /
• 2007

다중패턴 홀로그램을 위한 자동 검사 시스템을 제안한다. 시스템 하드웨어는 조명계, 카메라 그리고 영상처리부로 구성된다. UV LED를 사용하는 다양한 조명은 다른 위치에 놓여 각 위치에서의 이미지 패턴을 획득한다. 시스템 소프트웨어는 전처리, 패턴 생성, 패턴매칭으로 구성된다. 획득한 입력 홀로그램 영상은 패턴매칭 알고리즘에 의해 표준 패턴과 비교한다. 입력 홀로그램의 위치 오차 보정을 위해, 다른 위치에서의 홀로그램 표준 패턴은 온라인상에서 생성되어야만 한다. 본 논문은 표준 패턴의 생성을 위해 CGH(Computer Generated Hologram)방법에 근거한 주파수 변환을 적용한다. 한국지폐의 홀로그램을 위한 실험 결과는 제안한 시스템의 유용성을 증명한다.