Yi-fan HE,Guo-yin XU,Hai-bin SHEN

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.01.042

2007-01-01

Abstract:In order to improve the performance of pattern-matching module in NIDS, an efficient engine for multi-gigabit rate, line-speed pattern-matching is proposed after analyzing a large amount of related work. By grouping and evenly storing patterns into CAM or TCAM according to their lengths and amount, as well as using payload-switching technique, this engine not only reaches multi-gigabit rate performance, but also has high storage efficiency. System performance can be improved further by using multiple process modules in parallel. In a 200 MHz Clock implementation, system throughput can reach more than 6 Gbit/s.

Tian Song,Zhizhong Tang,Dongsheng Wang

DOI: https://doi.org/10.1007/978-3-540-72685-2_56

2007-01-01

Abstract:Pattern matching is one of the most performance critical components in network intrusion detection and prevention system, which needs to be accelerated by carefully designed architectures. In this paper, we present a highly parameterized multilevel pattern matching architecture (MPM), which is implemented on FPGA by exploiting redundant resources among patterns for less chip area. In practice, MPM can be partitioned to several pipelines for high frequency. This paper also presents a pattern set compiler that can generate RTL codes of MPM with the given pattern set and predefined parameters. One MPM architecture is generated by our compiler based on Snort rules on Xilinx FPGA. The results show that MPM can achieve 4.3Gbps throughput with only 0.22 slices per character, about one half chip area than the most area-efficient architecture in literature. MPM can be parameterized potential for more than 100 Gbps throughput.

Hang Lint,Weiwei Lint,Jing Lint,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iscc58397.2023.10218028

2023-01-01

Abstract:Pattern matching is an important technology applied to many security applications. Most network service providers choose to compress network traffic for better transmission, which brings the challenges of compressed traffic matching. However, existing works focus on improving the performance of uncompressed traffic matching or only realize the compressed traffic matching on end-host that can not keep pace with the dramatic increase in traffic. In this paper, we present P4CTM, a proof-of-concept method to conduct efficient compressed traffic matching on the programmable data plane. P4CTM uses the two-stage scan scheme to skip some bytes of compressed traffic, the 2-stride DFA combines with the compression algorithm to condense the state space, and the wildcard match to downsize the match action tables in the programmable data plane. The experiment indicates that P4CTM skips 83.10% bytes of compressed traffic, condenses the state space by order of magnitude, and reduces most of the table entries.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Tian Song,DongSheng Wang,ZhiZhong Tang

DOI: https://doi.org/10.1007/s11432-009-0024-x

2009-01-01

Abstract:Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention. To keep up with the increasing speed network, this component needs to be accelerated by well designed custom coprocessor. This paper presents a parameterized multilevel pattern matching architecture (MPM) which is used on FPGAs. To achieve less chip area, the architecture is designed based on the idea of selected character decoding (SCD) and multilevel method which are analyzed in detail. This paper also proposes an MPM generator that can generate RTL-level codes of MPM by giving a pattern set and predefined parameters. With the generator, the efficient MPM architecture can be generated and embedded to a total hardware solution. The third contribution is a mathematical model and formula to estimate the chip area for each MPM before it is generated, which is useful for choosing the proper type of FPGAs. One example MPM architecture is implemented by giving 1785 patterns of Snort on Xilinx Virtex 2 Pro FPGA. The results show that this MPM can achieve 4.3 Gbps throughput with 5 stages of pipelines and 0.22 slices per character, about one half chip area of the most area-efficient architecture in literature. Other results are given to show that MPM is also efficient for general random pattern sets. The performance of MPM can be scalable near linearly, potential for more than 100 Gbps throughput.

Mingjiang Ye,Ke Xu,Jianping Wu,Yong Cui

DOI: https://doi.org/10.1109/icoin.2008.4472764

2008-01-01

Abstract:Pattern-matching is often used in network security mechanisms, which detect the predefined signature strings or keywords starting at an arbitrary location in the payload. Such mechanisms require the network to inspect the packet payload at line rates to filter the worms or virus. These signature sets are large and some signature can be as long as more than 2000 byte. This paper propose a high performance and scalable packet pattern-matching architecture. Bloom filter engines are used in front-end for membership query which can achieve high performance, and an lookup table is used in back-end to performance deterministic string-matching. In order to solve the scalability problem in using Bloom filter to detect long pattern, prefix register heap is used to keep the intermediate status. The architecture can achieve gigabytes throughput with large pattern set and long patterns. A great saving in hardware resource also proves that the architecture is very scalable.

Chun Jason Xue,Meilin Liu,QingFeng Zhuge,Edwin Hsing-Mean Sha

DOI: https://doi.org/10.1007/s11265-008-0279-2

2008-01-01

Journal of Signal Processing Systems

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stopping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matching for a packet is completed in O(N log M) time where N is the size of the packet and M is the longest pattern length. Implementation is done on a standard off-the-shelf field-programmable gate array. Comparison with the other techniques shows promising results.

Monther Aldwairi,Yahya Flaifel,Khaldoon Mhaidat

DOI: https://doi.org/10.48550/arXiv.2003.00405

2020-03-01

Cryptography and Security

Abstract:Network intrusion detection systems and antivirus software are essential in detecting malicious network traffic and attacks such as denial-of-service and malwares. Each attack, worm or virus has its own distinctive signature. Signature-based intrusion detection and antivirus systems depend on pattern matching to look for possible attack signatures. Pattern matching is a very complex task, which requires a lot of time, memory and computing resources. Software-based intrusion detection is not fast enough to match high network speeds and the increasing number of attacks. In this paper, we propose special purpose hardware for Wu-Manber pattern matching algorithm. FPGAs form an excellent choice because of their massively parallel structure, reprogrammable logic and memory resources. The hardware is designed in Verilog and implemented using Xilinx ISE. For evaluation, we dope network traffic traces collected using Wireshark with 2500 signatures from the ClamAV virus definitions database. Experimental results show high speed that reaches up to 216 Mbps. In addition, we evaluate time, device usage, and power consumption.

SHAO Zong-you,LIU Xing-kui,LIU Xin-chun,SUN Ning-hui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.03.014

2013-01-01

Computer Science

Abstract:As the network bandwidth continuously increases,the network security has been seriously threatened by malicious behaviors and risks.Network intrusion detection system(NIDS) is one of the efficient measures to cope with intrusion threats and protect information security,which employs pattern matching techniques to analyze incoming packe-ts and detect potential threats.However,pattern matching is such a compute-intensive task that most current techniques can't meet the demand of NIDS for backbone networks over 10Gbps speed.We proposed a novel Bloom filter based approach for pattern matching,called PBPM(Parallel-Bloom-filter-based multi-Pattern Matching).PBPM employs multiple copies of the same Bloom filter to carry out parallel matching on different positions of the input text at the same time.The fine-grained parallel approach is able to skip multiple characters per clock when implemented on FPGAs,dramatically improving pattern matching performance.Experimental results on the rule set from Snort 2.9 show that the throughput of PBPM exceeds more than 20Gbps.

Jian Huang,Zongkai Yang,Xu Du,Wei Liu

DOI: https://doi.org/10.1109/TENCON.2005.300988

2007-01-01

Abstract:Intrusion detection and prevention system have to define more and more patterns to identify the diversification intrusions. Pattern matching, the main part of almost every modern intrusion detection system, should provide exceptionally high performance and ability of reconfiguration. FPGA based pattern matching sub-system becomes a popular solution for modern intrusion detection system. But there is still significant space to improve the FPGA resource efficiency. In this paper, we present a novel pattern matching implementation using the Half Byte Comparators (HBC). HBC based pattern matching approach can increase the area efficiency. But the operating frequency will be a little decrease. We also explored some methods to improve the operating frequency in this paper. The result shows for matching more than 22,000 characters (All the rules in SNORT v2.0) our implementation achieving an area efficiency of more than 3.13 matched characters per logic cell, achieving an operating frequency of about 325 MHz (2.6Gbps) on a Virtex-II pro device. When using quad parallelism to increase the matching throughput, the area efficiency of a logic cell is decrease to 0.71 characters for a throughput of almost 8.5 Gbps.

ZHOU Yi-nan,LI Xi,FENG Zhao-yang

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.05.035

2006-01-01

Abstract:The rapid advancements of optical networking have increased the capacity of physical links,Nowadays,the bottleneck does not lie on the transmission system,but on the network processing elements that must keep in space with the ever increasing line rates。 software-based network processing is not sufficient anymore,eapecially due to the increased requirements of new emerging feature-rich applications and services。more and more approaches using Cooperation with software and hardware was proposed.Similar as the tra-ditional network equipment,the firewall experienced its hardware architecture evolving from Intelx86 to ASIC,and then to NPU.The main characteristics of these three system structures was analysed and compared.Their values of existing and room of developing were discussed。Based a hardware platform model of VPN firewall,suggesting to develop NPU and its network security product as our own intellectual properties.It is recommended to use domestic made CPU such as "GodSon" in order to obtain fully control of the intellectual property.

Guohong Zhao,Shuhui Chen,Baokang Zhao,Ilsun You,Jinshu Su,Wanrong Yu

DOI: https://doi.org/10.1007/978-3-319-10975-6_20

2014-01-01

Abstract:Current software based Content Filtering Systems are too computing intensive in large scale packets payload detection and cannot meet the performance requirements of modern networks. Thus, hardware architectures are desired to speed up the detection process. In this paper, hardware based Conjoint Network Content Filtering System (CNCFS) is proposed to solve the problem. In CNCFS, a TCAM based algorithm named Linking Shared Multi-Match (LSMM) is implemented, which can speed up large scale Multi-Pattern Multi-Matching greatly. Also, this system can also be used in high speed mobile networks which need to deal with the security of fast handover of mobile users. The results of performance evaluation show that our solution can provide 5 Gbps wire speed processing capability.

Yaxuan Qi,Zongwei Zhou,Yiyao Wu,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5684120

2010-01-01

Abstract:With the continual growth of network speed and the increasing sophistication of network applications, keeping network operations efficient and secure becomes more challenging. Pattern matching is one of the key technologies for content-ware network processing, such as traffic classification, application identification and intrusion prevention. In this paper, we propose a hybrid pattern matching algorithm optimized for multi-core network processing platforms. As a system-level solution, our scheme focuses on both performance stability and hardware/software co-design. To verify the effectiveness of our design, the proposed algorithm is implemented on a state-of-art 16-MIPS-core network processing platform and evaluated with real-life data sets. Experimental results show that, when compared with the traditional Aho-Corasick algorithm, our hybrid solution saves 60~95% memory space while guarantees stable performance on large pattern sets and against adverse test traffic.

Chun Jason Xue,Zili Shao,Meilin Liu,Qingfeng Zhuge,Edwin H. -M. Sha

DOI: https://doi.org/10.1007/978-3-540-77092-3_8

2007-01-01

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stepping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matchings are completed in O(log M) time where M is the longest pattern length. Implementation is done on a standard off-the-shelf FPGA. Comparison with the other techniques shows promising results.

Hassan Jalil Hadi,Khurram Shahzad,Naveed Ahmed,Yue Cao,Yasir Javed

DOI: https://doi.org/10.1109/trustcom60117.2023.00354

2024-01-01

Abstract:Pattern matching in Intrusion Detection Systems (IDS) is one of the most critical and time-consuming elements, allowing the system to make decisions based on the real-time threats across the network. A pattern-matching method can be software-based or hardware-based. In this paper, a hardware implementation of bit-split algorithm has been discussed for pattern matching in order to detect unwanted traffic for a maximum number of rulesets. A hardware-based string matching scheme has been preferred here due to its fast speed and quick data parallelism for the high-performance Intrusion Detection System (IDS). The prototype of the detection method is implemented on Spartan SP605 with a small number of rules. For a large number of rules, a multi-scale Field Programmable Gate Array (FPGA)-based hardware architecture has been implemented in which we have used NetFPGA-SUME. This FPGA board has examined incoming packets at a bit rate of 1.25 Gb/sec with an operational frequency of 156.25MHZ. Furthermore, high-level data parallelism has been implemented by instantiating more than one match engine for handling multiple packets to achieve high throughput (T p ).

Yizhen Liu,Daxiong Xu,Dong Liu,Lingge Sun

DOI: https://doi.org/10.1109/WKDD.2009.111

2009-01-01

Abstract:The current hardware architectures of intrusion detection system have several limitations on performance and configurability. In this paper we describe the architecture design and hardware implementation of gigabits NIDS using a programmable network processor and a FPGA co-processor. We discuss the requirements of NIDS, system hardware architecture and report measurements. In particular, we demonstrate performance improved by optimized parallel pattern match processing and efficient memory access in field programmable gate array (FPGA). We show an NIDS which can exploit our approach hardware platform, and make suggestions about implementation features that can significantly improve the performance and configurability of intrusion detection systems.

Alan Kennedy,Xiaojun Wang,Zhen Liu,Bin Liu

DOI: https://doi.org/10.1109/date.2010.5457172

2010-01-01

Abstract:Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA.

Xu Kefu,Qi Deyu,Qian Zhengping,Zheng Weiping

DOI: https://doi.org/10.1109/icnsc.2008.4525325

2008-01-01

Abstract:High-speed packet content inspection and filtering devices rely on a fast multi-pattern matching algorithm which is used to detect predefined keywords or signatures in the packets. These signature sets are large (e.g., thousands) and complex. Multi-pattern matching is known to require intensive memory accesses and is often a performance bottleneck. Another problem is how to update the inconstant rule set from new attacks without halting the inspection. Hence, specialized fast dynamic pattern matching algorithms scalable for long rules are required for on-line speed deep packet inspection. We proposed a fast dynamic deep packet inspection algorithm using two pipelines which was flexible loosely coupled framework. In the fast pipeline, multiple parallel Counting Bloom filter engines which can perform fast dynamic query were adopted to achieve high throughput. Based on the principle of locality of programs, we set a threshold length for the scalability for long rules. In the relatively slow pipeline, we adopted dynamic pattern matching algorithm to distinguish the suspicious packet came from the fast pipeline. The analysis and the evaluation show that the high throughput of the algorithm can satisfy the wire speed dynamic inspection requirement when the low resource consumption further improves the scalability.

HUANG Shanguo,LI Xin,TANG Ying,GUO Junfeng

DOI: https://doi.org/10.11959/j.issn.1000-436x.2019212

2019-01-01

Abstract:In order to maintain the security of optical network,it is urgent to research and deploy photonic firewall which can effectively process high-speed optical signals to replace existing electronic firewall which consumes high energy.After a brief review of the principle of photonic firewall,the pattern matching technology based on correlation operation and all-optical logic gates were summarized,and the matching systems was compared according to their advantages and disadvantages.Besides,the realization methods of all-optical logic gates were introduced.Finally,the next research direction and development trend of all-optical pattern matching were prospected:more efficient system structure or non-linear devices with faster response speed.The survey shows that photonic firewall based on all-optical pattern matching has a good application prospect in network security.

Wen-liang FU,Ping GUO,Zhou ZHOU

DOI: https://doi.org/10.3969/j.issn.0372-2112.2016.11.001

2016-01-01

Abstract:L7-filter is a widely used traffic classification system which relies on regular expression matching based deep packet inspect method and can identify network traffic by inspecting string patterns hidden in the packet payload.How-ever,due to considerable computation and storage expenditures,existing L7-filter software and hardware solutions could not offer sufficient performance in the context of 40 Gbps and higher speed networks.Based on analysis of common features of the L7-filter protocol patterns,this paper proposes a hardware-accelerated method which is for achieving high performance and includes customized data structure,optimization and matching architecture.To validate the proposed method,a hardware prototype on Virtex 6 FPGA card is implemented and tested.Experimental results show that the prototype can scan network traffic at a typical rate of about 115Gbps.