Assisting network intrusion detection with reconfigurable hardware

Author

Hutchings, B.L. ; Franklin, R. ; Carver, D.

Author_Institution

Dept. of Electr. & Comput. Eng., Brigham Young Univ., Provo, UT, USA

fYear

2002

fDate

2002

Firstpage

111

Lastpage

120

Abstract

String matching is used by Network Intrusion Detection Systems (NIDS) to inspect incoming packet payloads for hostile data. String-matching speed is often the main factor limiting NIDS performance. String-matching performance can be dramatically improved by using Field-Programmable Gate Arrays (FPGAs); accordingly, a "regular-expression to FPGA circuit" module generator has been developed. The module generator extracts strings from the Snort NIDS rule-set, generates a regular expression that matches all extracted strings, synthesizes a FPGA-based string matching circuit, and generates an EDIF netlist that can be processed by Xilinx software to create an FPGA bitstream. The feasibility of this approach is demonstrated by comparing the performance of the FPGA-based string matcher against the software-based GNU regex program. The FPGA-based string matcher exceeds the performance of the software-based system by 600x for large patterns.

Keywords

compiler generators; computer network management; field programmable gate arrays; reconfigurable architectures; string matching; EDIF netlist; Xilinx software; field-programmable gate arrays; module generator; network intrusion detection; packet payloads; reconfigurable hardware; software-based GNU regex program; string matching; Automatic test pattern generation; Circuits; Databases; Field programmable gate arrays; Hardware; Intrusion detection; Java; Pattern matching; Payloads; Test pattern generators;

fLanguage

English

Publisher

ieee

Conference_Titel

Field-Programmable Custom Computing Machines, 2002. Proceedings. 10th Annual IEEE Symposium on

Print_ISBN

0-7695-1801-X

Type

conf

DOI

10.1109/FPGA.2002.1106666

Filename

1106666