A pattern-matching co-processor for network intrusion detection systems

This paper explores the design and analysis of an FPGA module that implements pattern-matching functionality for the network intrusion detection problem. The specific features of the pattern-matcher include support for complex regular expressions and approximate matching with bounded substitutions, insertions, and deletions. A module generator is presented that utilizes non-deterministic finite automata to dynamically create efficient circuits for matching patterns specified with a standard rule language. The logic complexity and performance of the generated circuits is measured and analyzed. Results indicate our techniques yield circuits that are more than twice as dense as other reported designs, while maintaining the throughput necessary for processing at gigabit line speeds and beyond. The FPGA pattern-matching processor is integrated with other hardware and software components to form a complete network intrusion detection system.