A multiple regular expressions matching architecture for network intrusion detection system

Regular expressions are increasingly used in network security applications. Multiple regular expressions matching is one of the most important performance bottlenecks in those systems. This paper proposes a new hardware-based multiple regular-expressions matching architecture, called MRM, for network intrusion detection system. It shows that traditional algorithm, such as AC, has to face the serious spatial explosion problem when simultaneously detecting a large number of regular expressions because of constrained repetitions. MRM utilizes hardware RAM modules to share matching signals and exploits hardware register counting to implement constrained repetitions. This paper also proposes a software compiler to construct the hardware architecture and generate information in MRM´s RAMs for the given regular expressions. Experiments in actual snort and bro regular expression sets show that MRM can achieve the high throughput of 2.1 Gbps and 2.8 Gbps on Virtex2 and Virtex4 devices respectively.