FTSE: the FNIP-like TCAM searching engine

As the Internet grows at a very rapid pace, so does the incidence of attack events and documented unlawful intrusions. The network intrusion detection systems (NIDSes) are designed to identify attacks against networks or a host that are invisible to firewalls, thus providing an additional layer of security. NIDSes detect and filter the malicious packets by inspecting packet payloads to find worm signatures. The payload inspection operation dominates the throughput of an NIDS since every byte of packet payload needs to be examined. At network speeds of 1 Gbps or above, it can be difficult to keep up with intrusion detection in software, and hardware systems or software with hardware assist are normally required. This paper presents FTSE, a ternary content addressable memory (TCAM) based pattern matching engine. In this paper we show how FTSE can be used effectively to perform string matching for thousands of strings at multiple-Gigabit speed. We also describe how FTSE can be implemented feasibly with an FPGA/ASIC, a 2.25 Mb TCAM, and a small SSRAM. Our analysis shows that this approach for string matching is very effective and the throughput of our design can achieve up to 8 Gbps for 2,085 snort rules.