A memory efficient FPGA-based pattern matching engine for stateful NIDS

Pattern matching task plays an important role in network security applications especially Network Intrusion Detection System (NIDS). The limitation of matching throughput on general purpose processor gives rise to implementation of the task on FPGA. In this paper, we introduce a memory efficient FPGA-based pattern matching engine. We bases on Deterministic Finite Automata (DFA) and propose some modifications to reduce redundant logic. The proposed design, with better memory utilization, is capable of dynamic update and compatible to stateful NIDS. The analysis of memory efficiency and the hardware implementation of proposed design are also provided in this paper. We experiment our approach on contemporary NIDS pattern sets and build a prototype to test on real network environment. The results show that our design could save up to 90% hardware resources compare to traditional approach. The matching engine is compatible to gigabit network and could achieve 2.7-3.2x speed up to software-based matching engine.