A parameterized multilevel pattern matching architecture on FPGAs for network intrusion detection and prevention

被引:0
|
作者
Tian Song
DongSheng Wang
ZhiZhong Tang
机构
[1] Beijing Institute of Technology,School of Computer Science and Technology
[2] Tsinghua University,Department of Computer Science and Technology
关键词
network intrusion detection; network intrusion prevention; pattern matching; network security;
D O I
暂无
中图分类号
学科分类号
摘要
Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention. To keep up with the increasing speed network, this component needs to be accelerated by well designed custom coprocessor. This paper presents a parameterized multilevel pattern matching architecture (MPM) which is used on FPGAs. To achieve less chip area, the architecture is designed based on the idea of selected character decoding (SCD) and multilevel method which are analyzed in detail. This paper also proposes an MPM generator that can generate RTL-level codes of MPM by giving a pattern set and predefined parameters. With the generator, the efficient MPM architecture can be generated and embedded to a total hardware solution. The third contribution is a mathematical model and formula to estimate the chip area for each MPM before it is generated, which is useful for choosing the proper type of FPGAs. One example MPM architecture is implemented by giving 1785 patterns of Snort on Xilinx Virtex 2 Pro FPGA. The results show that this MPM can achieve 4.3 Gbps throughput with 5 stages of pipelines and 0.22 slices per character, about one half chip area of the most area-efficient architecture in literature. Other results are given to show that MPM is also efficient for general random pattern sets. The performance of MPM can be scalable near linearly, potential for more than 100 Gbps throughput.
引用
收藏
页码:949 / 963
页数:14
相关论文
共 50 条
  • [1] A parameterized multilevel pattern matching architecture on FPGAs for network intrusion detection and prevention
    SONG Tian WANG DongSheng TANG ZhiZhong School of Computer Science and Technology Beijing Institute of Technology Beijing China Department of Computer Science and Technology Tsinghua University Beijing China
    [J]. Science in China(Series F:Information Sciences), 2009, 52 (06) : 949 - 963
  • [2] A parameterized multilevel pattern matching architecture on FPGAs for network intrusion detection and prevention
    Song Tian
    Wang DongSheng
    Tang ZhiZhong
    [J]. SCIENCE IN CHINA SERIES F-INFORMATION SCIENCES, 2009, 52 (06): : 949 - 963
  • [3] A parameterized multilevel pattern matching architecture on FPGAs for network intrusion detection and prevention
    SONG Tian1
    2 Department of Computer Science and Technology
    [J]. Science China(Information Sciences), 2009, (06) : 949 - 963
  • [4] Multilevel pattern matching architecture for network intrusion detection and prevention system
    Song, Tian
    Tang, Zhizhong
    Wang, Dongsheng
    [J]. EMBEDDED SOFTWARE AND SYSTEMS, PROCEEDINGS, 2007, 4523 : 604 - +
  • [5] A New Architecture for Network Intrusion Detection and Prevention
    Bul'Ajoul, Waleed
    James, Anne
    Shaikh, Siraj
    [J]. IEEE ACCESS, 2019, 7 : 18558 - 18573
  • [6] Predictive Pattern Matching for Scalable Network Intrusion Detection
    Vespa, Lucas
    Mathew, Mini
    Weng, Ning
    [J]. INFORMATION AND COMMUNICATIONS SECURITY, PROCEEDINGS, 2009, 5927 : 254 - 267
  • [7] A pattern matching based network intrusion detection system
    Zhou Chunyue
    Liu Yun
    Zhang Hongke
    [J]. 2006 9TH INTERNATIONAL CONFERENCE ON CONTROL, AUTOMATION, ROBOTICS AND VISION, VOLS 1- 5, 2006, : 1410 - +
  • [8] Pattern matching acceleration for network intrusion detection systems
    Kim, S
    [J]. EMBEDDED COMPUTER SYSTEMS: ARCHITECTURES, MODELING, AND SIMULATION, 2005, 3553 : 289 - 298
  • [9] A Fast and Configurable Pattern Matching Hardware Architecture for Intrusion Detection
    Liu, Yizhen
    Xu, Daxiong
    Liu, Dong
    Sun, Lingge
    [J]. WKDD: 2009 SECOND INTERNATIONAL WORKSHOP ON KNOWLEDGE DISCOVERY AND DATA MINING, PROCEEDINGS, 2009, : 614 - +
  • [10] A high throughput string matching architecture for intrusion detection and prevention
    Tan, L
    Sherwood, T
    [J]. 32ND INTERNATIONAL SYMPOSIUM ON COMPUTER ARCHITECTURE, PROCEEDINGS, 2005, : 112 - 122