Title :
A practical network intrusion detection system for inline FPGAs on 10GbE network adapters
Author :
Jaic, Keerthan ; Smith, Malcolm C. ; Sarma, Nilim
Author_Institution :
Holcombe Dept. of of Electr. & Comput. Eng., Clemson Univ., Clemson, SC, USA
Abstract :
A network intrusion detection system (NIDS), such as SNORT, analyzes incoming packets to identify potential security threats. Pattern matching is arguably the most important and most computationally intensive component of a NIDS. Software-based NIDS implementations drop up to 90% of packets during increased network load even at lower network bandwidth. We propose an alternative hybrid-NIDS that couples an FPGA with a network adapter to provide hardware support for pattern matching and software support for post processing. The proposed system, SFAOENIDS, offers an extensible open-source NIDS for Solarflare AOE devices. The pattern matching engine-the primary component of the hardware architecture was designed based on the requirements of typical NIDS implementations. In testing on a real network environment, the SFAOENIDS hardware implementation, operating at 200 MHz, handles a 10Gbps data rate without dropping packets while simultaneously minimizing the server CPU load.
Keywords :
field programmable gate arrays; security of data; SFAOENIDS; SNORT; Solarflare AOE devices; inline FPGA; lower network bandwidth; network adapters; network load; open-source NIDS; pattern matching; pattern matching engine; practical network intrusion detection system; real network environment; security threats; software based NIDS implementations; Engines; Field programmable gate arrays; Hardware; Intrusion detection; Memory management; Pattern matching; Software;
Conference_Titel :
Application-specific Systems, Architectures and Processors (ASAP), 2014 IEEE 25th International Conference on
Conference_Location :
Zurich
DOI :
10.1109/ASAP.2014.6868655
