Bitwise optimised CAM for network intrusion detection systems

Author

Yusuf, Sherif ; Luk, Wayne

Author_Institution

Dept. of Comput., Imperial Coll. London, UK

fYear

2005

fDate

24-26 Aug. 2005

Firstpage

444

Lastpage

449

Abstract

String pattern matching is a computationally expensive task, and when implemented in hardware, it can consume a large amount of resources for processing and storage. This paper presents a novel technique, based on a tree-based content addressable memory structure, for a pattern matching engine for use in a hardware-based network intrusion detection system. This technique involves hardware sharing at bit level in order to exploit powerful logic optimisations for multiple strings represented as a boolean expression. Our approach has been used to implement the entire SNORT rule set with around 12% of the area on a Xilinx XC2V80O0 FPGA. The design can run at a rate of approximately 2.5 Gigabits per second, and is approximately 30% smaller in area when compared with published results. The performance of our design can be improved further by having multiple designs operating in parallel.

Keywords

content-addressable storage; field programmable gate arrays; optimisation; pattern matching; security of data; SNORT rule set; Xilinx XC2V80O0 FPGA; bitwise optimised CAM; boolean expression; hardware sharing; logic optimisations; network intrusion detection systems; string pattern matching; tree-based content addressable memory structure; Binary decision diagrams; Boolean functions; CADCAM; Computer aided manufacturing; Engines; Hardware; Information security; Intrusion detection; Pattern matching; Payloads;

fLanguage

English

Publisher

ieee

Conference_Titel

Field Programmable Logic and Applications, 2005. International Conference on

Print_ISBN

0-7803-9362-7

Type

conf

DOI

10.1109/FPL.2005.1515762

Filename

1515762