Yi-fan HE,Guo-yin XU,Hai-bin SHEN

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.01.042

2007-01-01

Abstract:In order to improve the performance of pattern-matching module in NIDS, an efficient engine for multi-gigabit rate, line-speed pattern-matching is proposed after analyzing a large amount of related work. By grouping and evenly storing patterns into CAM or TCAM according to their lengths and amount, as well as using payload-switching technique, this engine not only reaches multi-gigabit rate performance, but also has high storage efficiency. System performance can be improved further by using multiple process modules in parallel. In a 200 MHz Clock implementation, system throughput can reach more than 6 Gbit/s.

Tian Song,Zhizhong Tang,Dongsheng Wang

DOI: https://doi.org/10.1007/978-3-540-72685-2_56

2007-01-01

Abstract:Pattern matching is one of the most performance critical components in network intrusion detection and prevention system, which needs to be accelerated by carefully designed architectures. In this paper, we present a highly parameterized multilevel pattern matching architecture (MPM), which is implemented on FPGA by exploiting redundant resources among patterns for less chip area. In practice, MPM can be partitioned to several pipelines for high frequency. This paper also presents a pattern set compiler that can generate RTL codes of MPM with the given pattern set and predefined parameters. One MPM architecture is generated by our compiler based on Snort rules on Xilinx FPGA. The results show that MPM can achieve 4.3Gbps throughput with only 0.22 slices per character, about one half chip area than the most area-efficient architecture in literature. MPM can be parameterized potential for more than 100 Gbps throughput.

Tian Song,DongSheng Wang,ZhiZhong Tang

DOI: https://doi.org/10.1007/s11432-009-0024-x

2009-01-01

Abstract:Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention. To keep up with the increasing speed network, this component needs to be accelerated by well designed custom coprocessor. This paper presents a parameterized multilevel pattern matching architecture (MPM) which is used on FPGAs. To achieve less chip area, the architecture is designed based on the idea of selected character decoding (SCD) and multilevel method which are analyzed in detail. This paper also proposes an MPM generator that can generate RTL-level codes of MPM by giving a pattern set and predefined parameters. With the generator, the efficient MPM architecture can be generated and embedded to a total hardware solution. The third contribution is a mathematical model and formula to estimate the chip area for each MPM before it is generated, which is useful for choosing the proper type of FPGAs. One example MPM architecture is implemented by giving 1785 patterns of Snort on Xilinx Virtex 2 Pro FPGA. The results show that this MPM can achieve 4.3 Gbps throughput with 5 stages of pipelines and 0.22 slices per character, about one half chip area of the most area-efficient architecture in literature. Other results are given to show that MPM is also efficient for general random pattern sets. The performance of MPM can be scalable near linearly, potential for more than 100 Gbps throughput.

Hang Lint,Weiwei Lint,Jing Lint,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iscc58397.2023.10218028

2023-01-01

Abstract:Pattern matching is an important technology applied to many security applications. Most network service providers choose to compress network traffic for better transmission, which brings the challenges of compressed traffic matching. However, existing works focus on improving the performance of uncompressed traffic matching or only realize the compressed traffic matching on end-host that can not keep pace with the dramatic increase in traffic. In this paper, we present P4CTM, a proof-of-concept method to conduct efficient compressed traffic matching on the programmable data plane. P4CTM uses the two-stage scan scheme to skip some bytes of compressed traffic, the 2-stride DFA combines with the compression algorithm to condense the state space, and the wildcard match to downsize the match action tables in the programmable data plane. The experiment indicates that P4CTM skips 83.10% bytes of compressed traffic, condenses the state space by order of magnitude, and reduces most of the table entries.

Chun Jason Xue,Zili Shao,Meilin Liu,Qingfeng Zhuge,Edwin H. -M. Sha

DOI: https://doi.org/10.1007/978-3-540-77092-3_8

2007-01-01

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stepping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matchings are completed in O(log M) time where M is the longest pattern length. Implementation is done on a standard off-the-shelf FPGA. Comparison with the other techniques shows promising results.

T Song,W Zhang,ZZ Tang,DS Wang

DOI: https://doi.org/10.1109/icess.2005.20

2005-01-01

Abstract:In this paper, we present an idea of selected character decoding (SCD) based on alphabet for network usage, especially network intrusion detection system (NIDS). SCD extends the approaches using decoder in order to achieve the least number of comparison units. The definitions of alphabet help to give the selections of characters for decoding, especially the alphabets of vertical left alignment (Avla). This paper also introduces a pattern matching architecture with alphabet based SCD. This architecture takes full advantages of the idea of pre-decoding and achieves the same high frequency as the one based on decoder while saving more than half resources. The third contribution of this paper is the idea and initial model for resource estimation just based on given pattern sets. To 1197 real patterns in Snort v2.3.3, experimental results show the resources used in alphabet based SCD is just 35.1% of the one in traditional 8-256 decoder. Targeting on Xilinx Virtex2Pro20 (speed grade 7), the pattern matching architecture can achieve 271 mHz, with 4.3Gbps throughput and can be scalable linearly.

Chun Jason Xue,Meilin Liu,QingFeng Zhuge,Edwin Hsing-Mean Sha

DOI: https://doi.org/10.1007/s11265-008-0279-2

2008-01-01

Journal of Signal Processing Systems

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stopping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matching for a packet is completed in O(N log M) time where N is the size of the packet and M is the longest pattern length. Implementation is done on a standard off-the-shelf field-programmable gate array. Comparison with the other techniques shows promising results.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Monther Aldwairi,Yahya Flaifel,Khaldoon Mhaidat

DOI: https://doi.org/10.48550/arXiv.2003.00405

2020-03-01

Cryptography and Security

Abstract:Network intrusion detection systems and antivirus software are essential in detecting malicious network traffic and attacks such as denial-of-service and malwares. Each attack, worm or virus has its own distinctive signature. Signature-based intrusion detection and antivirus systems depend on pattern matching to look for possible attack signatures. Pattern matching is a very complex task, which requires a lot of time, memory and computing resources. Software-based intrusion detection is not fast enough to match high network speeds and the increasing number of attacks. In this paper, we propose special purpose hardware for Wu-Manber pattern matching algorithm. FPGAs form an excellent choice because of their massively parallel structure, reprogrammable logic and memory resources. The hardware is designed in Verilog and implemented using Xilinx ISE. For evaluation, we dope network traffic traces collected using Wireshark with 2500 signatures from the ClamAV virus definitions database. Experimental results show high speed that reaches up to 216 Mbps. In addition, we evaluate time, device usage, and power consumption.

Wang Jie,Ji Zhen-Zhou,Hu Ming-Zeng

2009-01-01

Abstract:Along with development of network techniques and firewall techniques, multipattern matching for content filtering, virus detection and other network security measures is emphasized in the field of hardware firewall. Principles of multi-pattern matching on network firewall based on FPGA (Field Programmable Gate Array) are presented: low latency, supporting non-fixed-length pattern and forward matching. And architecture of high-performance matching on data link layer forming pipeline with frame transmission is proposed especially for multi-port scheduling. By academic analysis and experimental validation it can support applications of high-performance hardware network firewall and effectively reduce additional delays by expand logics.

SHAO Zong-you,LIU Xing-kui,LIU Xin-chun,SUN Ning-hui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.03.014

2013-01-01

Computer Science

Abstract:As the network bandwidth continuously increases,the network security has been seriously threatened by malicious behaviors and risks.Network intrusion detection system(NIDS) is one of the efficient measures to cope with intrusion threats and protect information security,which employs pattern matching techniques to analyze incoming packe-ts and detect potential threats.However,pattern matching is such a compute-intensive task that most current techniques can't meet the demand of NIDS for backbone networks over 10Gbps speed.We proposed a novel Bloom filter based approach for pattern matching,called PBPM(Parallel-Bloom-filter-based multi-Pattern Matching).PBPM employs multiple copies of the same Bloom filter to carry out parallel matching on different positions of the input text at the same time.The fine-grained parallel approach is able to skip multiple characters per clock when implemented on FPGAs,dramatically improving pattern matching performance.Experimental results on the rule set from Snort 2.9 show that the throughput of PBPM exceeds more than 20Gbps.

Alan Kennedy,Xiaojun Wang,Zhen Liu,Bin Liu

DOI: https://doi.org/10.1109/date.2010.5457172

2010-01-01

Abstract:Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA.

Yaxuan Qi,Zongwei Zhou,Yiyao Wu,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5684120

2010-01-01

Abstract:With the continual growth of network speed and the increasing sophistication of network applications, keeping network operations efficient and secure becomes more challenging. Pattern matching is one of the key technologies for content-ware network processing, such as traffic classification, application identification and intrusion prevention. In this paper, we propose a hybrid pattern matching algorithm optimized for multi-core network processing platforms. As a system-level solution, our scheme focuses on both performance stability and hardware/software co-design. To verify the effectiveness of our design, the proposed algorithm is implemented on a state-of-art 16-MIPS-core network processing platform and evaluated with real-life data sets. Experimental results show that, when compared with the traditional Aho-Corasick algorithm, our hybrid solution saves 60~95% memory space while guarantees stable performance on large pattern sets and against adverse test traffic.

WU Yong-chao,HUA Bei

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.08.056

2009-01-01

Abstract:【Abstract】Deep packet inspection is the bottleneck of a ,network intrusion detection system. This paper analyzes the characteristic of a ,real intrusion pattern string set, discusses the improvement of a multi-pattern matching algorithm FNP and its implementing optimization on a multi-core and multithreaded platform-Intel IXP2800 Network Processor Unit(NPU). Simulations on Intel IXP2800 NPU show ,that the improved ,FNP can achieve 6 Gb/s throughput on a 10 K-size randomly generated pattern sets, and has almost linear speedup. 【Key words】multi-pattern matching; network processor; parallel algorithm 计 ,算 ,机 ,工 ,程 Computer Engineering 第 35卷 ,第 8期 Vol.35 ,No.8 2009年 4月 April 2009 ·安全技术·,,1000—3428(2009)08—0166—03 文献标识码：A 中图分类号：TP393.08 1 概述

Chao Kong,Bo Yang,Zhiping Jia,Zhenxiang Chen

DOI: https://doi.org/10.1109/MINES.2009.66

2009-01-01

Abstract:An Intrusion Detection System (IDS) implements pattern matching approach on the network traffic to find the malicious packets carrying attack signatures. In this paper, a common Field Programmable Gate Array (FPGA) based on-board hardware architecture which is compatible with both ordinary string and Perl Compatible Regular Expression (PCRE) pattern matching is proposed to accelerate IDS. Furthermore, a flexible storage structure which is suitable for many general hardware matching algorithms and an optimized combinational logic circuit structure for PCRE matching are designed. With the synchronization of a connection decoder, ordinary string matching module coordinates with PCRE matching module to implement string-PCRE mixed rule.

Jia Ni,Chuang Lin,Zhen Chen,Peter Ungsunan

DOI: https://doi.org/10.1109/ICPP.2007.7

2007-01-01

Abstract:Deep Packet Inspection (DPI) is a critical function in network security applications such as Firewalls and Intrusion Detection Systems (IDS). Signature based scanners used in DPI apply multi-pattern matching algorithms to check whether the packet payload or flow content contains a specified signature in a signature set. Existing multi-pattern matching algorithms sacrifice memory space to achieve better performance. In this paper a novel fast multi-pattern matching algorithm, the Hash Boyer-Moore (HBM) Algorithm, is presented, which reduces the memory footprint of the heuristic table using a hash function and adds another heuristic table to reduce the false-positive ratio. Analyses and simulations show HBM offers higher speed and lower memory cost than some existing algorithms. The HBM algorithm was implemented on the Intel IXP 2400 Network Processor (NP) platform and experiments show suitable performance results in a Gigabit Ethernet LAN environment.

Dongcan Zhao,Xiaomin Zhu,Tong Xu

DOI: https://doi.org/10.1109/ICBNMT.2013.6823958

2013-01-01

Abstract:Pattern matching for intrusion feature strings is an important basis for detecting invasion, thus the efficiency of pattern matching is a key factor influencing the performance of intrusion detection. Based on the discussion of the classic BM (Boyer-Moore), BMH (Boyer-Moor-Horspool) and Sunday algorithms for pattern matching, an improved algorithm Sunday-C is proposed. By adding an extra skip before a match, Sunday-C produces a bigger skip distance for reducing the number of match loops and increasing the match the efficiency. Theoretical analysis and experimental test of this paper compares the classic algorithm and improved algorithms for matching performance. The result shows that improved algorithm can save matching time. When applied to the intrusion detection, this algorithm will enhance the detection efficiency.

周文秋,吕岳

DOI: https://doi.org/10.3969/j.issn.1009-2552.2009.03.009

2009-01-01

Abstract:Pattern matching algorithm is the core of the rule-based intrusion detection system(IDS).This paper describes the matching principle of snort and its foundation BM algorithm.A more efficient algorithm 2C-BM is then proposed,in which two characters are compared every time,and two shift values are referenced when a mismatching happened.Then the time complexity analysis and experiment results of the algorithm are given out.The new algorithm improved the matching efficiency greatly.

杨武,方滨兴,云晓春,张宏莉

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.13.038

2004-01-01

Abstract:The performance of a signature-matching-based network intrusion detection system (NIDS) is dominated by pattern matching algorithm. Based on the profile of the popular NIDS-snort, this paper studies how to utilize different efficient pattern matching algorithms to optimize the performance of snort. It mainly presents a multi-pattern matching algorithm based on the idea of BM algorithm-SSPBM algorithm. The result shows SSPBM algorithm can greatly improve the detecting performance of NIDS.

JM Yu,J Li

2005-01-01

Abstract:At the heart of almost every modern Network Intrusion Detection System (NIDS), there is a pattern matching engine (PME). As pattern matching is the most time consuming operation in NIDS, it is highly desired to reduce the pattern matching time of each packet or flow. This paper proposed a parallel pattern matching algorithm based on Aho-Corasick (AC) algorithm and an efficient load balance policy for it. The method is implemented on Intel's IXP2850 Network Processor (NP). Experimental results show that when using eight processors, the pattern matching time of each packet or flow can decrease to 60.44%similar to 14.42%. Based on the parallel algorithm, a PME utilizing parallel processing on three levels is proposed. Experimental results on IXP2850 show that the throughput speedup of pattern matching is 13.34 similar to 55.48 times.