TCP reassembly for signature-based Network Intrusion Detection systems

Rapid development of network makes it a very important and vulnerable part of every field of life. Many intrusion detection systems are developed to protect the network using signature-based matching technique. For connection oriented protocols, such as Transmission Control Protocol, the data should be reassembled before being scanned by the matching engine. Several techniques are introduced to reassemble TCP packets on FPGA. However, they have some disadvantages such as inefficient memory, unscalable system, and unsupported complex TCP connections. In this paper, we propose a multi-linked-list approach and a combination of edge buffering scheme for TCP reassembly, which helps detecting cross packets intrusion signatures. Our architecture not only supports TCP connections with up to 4 concurrent holes, but also uses memory more efficiently than others. The experimental results show that our system can hold about 256K connections simultaneously and support up to 46K out-of-sequence connections with only 64MB DRAM.