Yi-fan HE,Guo-yin XU,Hai-bin SHEN

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.01.042

2007-01-01

Abstract:In order to improve the performance of pattern-matching module in NIDS, an efficient engine for multi-gigabit rate, line-speed pattern-matching is proposed after analyzing a large amount of related work. By grouping and evenly storing patterns into CAM or TCAM according to their lengths and amount, as well as using payload-switching technique, this engine not only reaches multi-gigabit rate performance, but also has high storage efficiency. System performance can be improved further by using multiple process modules in parallel. In a 200 MHz Clock implementation, system throughput can reach more than 6 Gbit/s.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Mingjiang Ye,Ke Xu,Jianping Wu,Yong Cui

DOI: https://doi.org/10.1109/icoin.2008.4472764

2008-01-01

Abstract:Pattern-matching is often used in network security mechanisms, which detect the predefined signature strings or keywords starting at an arbitrary location in the payload. Such mechanisms require the network to inspect the packet payload at line rates to filter the worms or virus. These signature sets are large and some signature can be as long as more than 2000 byte. This paper propose a high performance and scalable packet pattern-matching architecture. Bloom filter engines are used in front-end for membership query which can achieve high performance, and an lookup table is used in back-end to performance deterministic string-matching. In order to solve the scalability problem in using Bloom filter to detect long pattern, prefix register heap is used to keep the intermediate status. The architecture can achieve gigabytes throughput with large pattern set and long patterns. A great saving in hardware resource also proves that the architecture is very scalable.

Tian Song,Zhizhong Tang,Dongsheng Wang

DOI: https://doi.org/10.1007/978-3-540-72685-2_56

2007-01-01

Abstract:Pattern matching is one of the most performance critical components in network intrusion detection and prevention system, which needs to be accelerated by carefully designed architectures. In this paper, we present a highly parameterized multilevel pattern matching architecture (MPM), which is implemented on FPGA by exploiting redundant resources among patterns for less chip area. In practice, MPM can be partitioned to several pipelines for high frequency. This paper also presents a pattern set compiler that can generate RTL codes of MPM with the given pattern set and predefined parameters. One MPM architecture is generated by our compiler based on Snort rules on Xilinx FPGA. The results show that MPM can achieve 4.3Gbps throughput with only 0.22 slices per character, about one half chip area than the most area-efficient architecture in literature. MPM can be parameterized potential for more than 100 Gbps throughput.

Hang Lint,Weiwei Lint,Jing Lint,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iscc58397.2023.10218028

2023-01-01

Abstract:Pattern matching is an important technology applied to many security applications. Most network service providers choose to compress network traffic for better transmission, which brings the challenges of compressed traffic matching. However, existing works focus on improving the performance of uncompressed traffic matching or only realize the compressed traffic matching on end-host that can not keep pace with the dramatic increase in traffic. In this paper, we present P4CTM, a proof-of-concept method to conduct efficient compressed traffic matching on the programmable data plane. P4CTM uses the two-stage scan scheme to skip some bytes of compressed traffic, the 2-stride DFA combines with the compression algorithm to condense the state space, and the wildcard match to downsize the match action tables in the programmable data plane. The experiment indicates that P4CTM skips 83.10% bytes of compressed traffic, condenses the state space by order of magnitude, and reduces most of the table entries.

Yaxuan Qi,Zongwei Zhou,Yiyao Wu,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5684120

2010-01-01

Abstract:With the continual growth of network speed and the increasing sophistication of network applications, keeping network operations efficient and secure becomes more challenging. Pattern matching is one of the key technologies for content-ware network processing, such as traffic classification, application identification and intrusion prevention. In this paper, we propose a hybrid pattern matching algorithm optimized for multi-core network processing platforms. As a system-level solution, our scheme focuses on both performance stability and hardware/software co-design. To verify the effectiveness of our design, the proposed algorithm is implemented on a state-of-art 16-MIPS-core network processing platform and evaluated with real-life data sets. Experimental results show that, when compared with the traditional Aho-Corasick algorithm, our hybrid solution saves 60~95% memory space while guarantees stable performance on large pattern sets and against adverse test traffic.

JM Yu,J Li

2005-01-01

Abstract:At the heart of almost every modern Network Intrusion Detection System (NIDS), there is a pattern matching engine (PME). As pattern matching is the most time consuming operation in NIDS, it is highly desired to reduce the pattern matching time of each packet or flow. This paper proposed a parallel pattern matching algorithm based on Aho-Corasick (AC) algorithm and an efficient load balance policy for it. The method is implemented on Intel's IXP2850 Network Processor (NP). Experimental results show that when using eight processors, the pattern matching time of each packet or flow can decrease to 60.44%similar to 14.42%. Based on the parallel algorithm, a PME utilizing parallel processing on three levels is proposed. Experimental results on IXP2850 show that the throughput speedup of pattern matching is 13.34 similar to 55.48 times.

Tian Song,DongSheng Wang,ZhiZhong Tang

DOI: https://doi.org/10.1007/s11432-009-0024-x

2009-01-01

Abstract:Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention. To keep up with the increasing speed network, this component needs to be accelerated by well designed custom coprocessor. This paper presents a parameterized multilevel pattern matching architecture (MPM) which is used on FPGAs. To achieve less chip area, the architecture is designed based on the idea of selected character decoding (SCD) and multilevel method which are analyzed in detail. This paper also proposes an MPM generator that can generate RTL-level codes of MPM by giving a pattern set and predefined parameters. With the generator, the efficient MPM architecture can be generated and embedded to a total hardware solution. The third contribution is a mathematical model and formula to estimate the chip area for each MPM before it is generated, which is useful for choosing the proper type of FPGAs. One example MPM architecture is implemented by giving 1785 patterns of Snort on Xilinx Virtex 2 Pro FPGA. The results show that this MPM can achieve 4.3 Gbps throughput with 5 stages of pipelines and 0.22 slices per character, about one half chip area of the most area-efficient architecture in literature. Other results are given to show that MPM is also efficient for general random pattern sets. The performance of MPM can be scalable near linearly, potential for more than 100 Gbps throughput.

Jia Ni,Chuang Lin,Zhen Chen,Peter Ungsunan

DOI: https://doi.org/10.1109/ICPP.2007.7

2007-01-01

Abstract:Deep Packet Inspection (DPI) is a critical function in network security applications such as Firewalls and Intrusion Detection Systems (IDS). Signature based scanners used in DPI apply multi-pattern matching algorithms to check whether the packet payload or flow content contains a specified signature in a signature set. Existing multi-pattern matching algorithms sacrifice memory space to achieve better performance. In this paper a novel fast multi-pattern matching algorithm, the Hash Boyer-Moore (HBM) Algorithm, is presented, which reduces the memory footprint of the heuristic table using a hash function and adds another heuristic table to reduce the false-positive ratio. Analyses and simulations show HBM offers higher speed and lower memory cost than some existing algorithms. The HBM algorithm was implemented on the Intel IXP 2400 Network Processor (NP) platform and experiments show suitable performance results in a Gigabit Ethernet LAN environment.

Wenbao Jiang,Hua Song,Yiqi Dai

DOI: https://doi.org/10.1016/j.cose.2004.07.005

2005-01-01

Abstract:Network-based intrusion detection systems (NIDSs) frequently have problems with handling heavy traffic loads in real-time, which result in packet loss and false negatives. This paper presents a high-performance network intrusion detection system, called HPMonitor, which combines a high-efficiency detection engine and a load-balancing device to address these problems. The paper describes HPMonitor's system architecture, discusses a flow-based dynamic load-balancing algorithm called dynamic least load first (DLLF) algorithm, and introduces a new multi-pattern string matching algorithm called shift max algorithm (SMA). The test results reveal that the DLLF algorithm is an effective balancing algorithm for NIDS. Meanwhile, the experimental results show that the SMA algorithm is faster in searching large sets of patterns when compared with other algorithms, and its performance is affected little when the patterns set number increases.

XU Ning,LAI Hai-guang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.02.019

2006-01-01

Abstract:An improved algorithm based on the ideas of Boyer-Moore method to search for multiple patterns is presented.The application of this algorithm in a network intrusion detection system is also discussed.The experiments demonstrate good improvement in matching time.

Hongbin Lu,Kai Zheng,Bin Liu,Changhua Sun

DOI: https://doi.org/10.1109/ICNS.2007.16

2007-01-01

Abstract:As one of the key methods as well as a bottleneck for Network Intrusion Detection Systems (NIDSes) to detect and eliminate malicious traffic, pattern matching is increasingly gaining popularity while also faces threats from hackers' overloading attempts. The support of mixed case-sensitive and case-insensitive patterns, which is essential for NIDSes to detect possible attacks targeting different applications and operating systems, is currently a potential vulnerability since the widely used Convert-Search-Verify (CSV) approach encounters severe performance degradation in the worst-case scenarios. This paper firstly gives a thorough analysis on the reasons causing jams in the worst case, and then boosts up the performance by leveraging a novel mechanism named Convert-Search-incrementally-Verify (CSiV). CSiV differs from CSV in that it first merges possible case-sensitive matches to suspicious segments in the "Search" phase, and then leverages an Aho-Corasick like algorithm to verify them. The infeasibility of the simple Double Search (DS) approach is also explained by analyzing its low average-case throughput. Extensive experiments based on real pattern sets along with both collected and artificial traffic traces show that, the performance of the proposed approach outperforms the DS approach by a factor of 2 in the ordinary cases, and is better than the CSV approach up to 5 times under the worst-case scenario, indicating both its feasibility and robustness for a worst-case safe NIDS. © 2007 IEEE.

Zhang Kenong,Gao Ming,Lu Jiahua,Guan Xiaohong

DOI: https://doi.org/10.1109/icnsc.2006.1673277

2006-01-01

Abstract:Network Intrusion Detection Systems (NIDS) require the sensors to inspect the packet payloads at line rates. However, the software-only NIDS can not handle the large signature set with thousands of patterns of different lengths at line rates. Ternary content-addressable memories (TCAMs) have gained wide acceptance in the industry for storing and searching patterns in routers. But one important problem blocked the way to deploy TCAMs as deep package matching engines for NIDS: long patterns matching. A novel high speed long patterns matching architecture using cascade TCAMs for large signature set based NIDS is presented in this paper. Simple and efficient systems to handle tens of thousands of signatures with thousands of bytes length each can be built on such architecture. The matching system using for current SNORT signature set can work at the speeds greater than 2 Gbps. © 2006 IEEE.

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Xinming Chen,Yiyao Wu,Lianghong Xu,Y. Xue

2009-01-01

Abstract:As security threats and network bandwidth increase in a very fast pace, there is a growing interest in designing highperformance network intrusion detection system (NIDS). This paper presents a parallelization strategy for the popular open-source Snort to build a high performance NIDS on multi-core IA platform. A modular design of parallel NIDS based on Snort is proposed in this paper. Named Para-Snort, it enables flexible and easy module design. This paper also analyzed the performance impact of load balancing and multi-pattern matching. Modified-JSQ and AC-WM algorithms are implemented in order to resolve the bottlenecks and improve the performance of the system. Experimental results show that Para-Snort achieves significant speedup of 4 to 6 times for various traces with a 7-thread parallelizing test setup.

Yi Tang,Junchen Jiang,Xiaofei Wang,Chengchen Hu,Bin Liu,Zhijia Chen

DOI: https://doi.org/10.1587/transinf.E93.D.3232

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Multi pattern matching is a key technique for Implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against tens of thousands of predefined attack signatures written in regular expressions (regexes) To this end Deterministic Finite Automaton (DFA) is widely used for multi regex matching but existing DFA based researches have claimed high throughput at an expense of extremely high memory cost so fail to be employed in devices such as high speed routers and em bedded systems where the available memory is quite limited In this paper we propose a parallel architecture of DFA called Parallel DFA (PDFA) taking advantage of the large amount of concurrent flows to increase the throughput with nearly no extra memory cost The basic Idea is to selectively store the underlying DFA in memory modules that can be accessed in parallel To explore its potential parallelism we intensively study DFA split schemes from both state and transition points in this paper The performance of our approach in both the average cases and the worst cases is analyzed optimized and evaluated by numerical results The evaluation shows that we obtain an average speedup of 100 times compared with traditional DFA based matching approach

Bo Xu,Kai Zheng,Yibo Xue,Jun Li

2010-01-01

Abstract:String matching plays an important role in content inspection based applications such as network intrusion detection/prevention and anti-virus. It is facing critical performance challenges due to the rapid increase in network bandwidth and the expansion in pattern set size. With multicore processors emerging as the dominant network processing platform, traditional one-dimension workload distribution model via flow-based traffic parallel processing can not fully exploit their computing power and cache hierarchy. In this paper, a scalable string matching framework is proposed by introducing another workload distribution dimension in pattern set. This framework distributes workloads in two dimensions: the network traffic dimension and the pattern set dimension. A novel pattern clustering mechanism named PCM is presented to optimize the pattern set partitioning. Experimental results show that the proposed framework obtains a throughput speedup of 60% compared with the traditional one-dimension workload distribution mode on real-life rule sets while the PCM pattern clustering mechanism further improves the overall throughput by 15%~20%. The framework can adapt to various string matching algorithms and the PCM scheme can be applied to different leap-based algorithms.

YE Ming-Jiang,CUI Yong,XU Ke,WU Jian-Ping

DOI: https://doi.org/10.1360/jos180117

2007-01-01

Journal of Software

Abstract:More and more network security applications depend on inspecting the content of the packets to detect the malicious attacks. To detect these attacks online, packet inspection demands exceptionally high performance. A lot of research works have been done in this field, and yet there is still significant room for improvement in throughput and scalability. This paper proposes a fast packet inspection algorithm based on state-based Bloom filter engines (SABFE). To achieve high throughput, parallel design is adopted when searching in one Bloom filter engine and between multiple Bloom filter engines. In addition, specific lookup table and prefix register heap are constructed in SABFE to keep the state of the matched prefix for the sake of detecting long patterns. The analysis and the evaluation show that the high throughput of the algorithm can satisfy the wire speed detection requirement

Alan Kennedy,Xiaojun Wang,Zhen Liu,Bin Liu

DOI: https://doi.org/10.1109/date.2010.5457172

2010-01-01

Abstract:Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA.