Exploiting Dynamic Reconfiguration for FPGA Based Network Intrusion Detection Systems

A Network Intrusion Detection System (NIDS) inspects the traffic flowing in a network to detect malicious content such as spam, viruses, and so on. Hardware based solutions appear necessary to face the performance requirements emerging when the goal is to deploy such systems in high speed network scenarios. However, the appropriate choice of the hardware platform is believed to be subject to at least two requirements, usually considered independent each other: i) it needs to be reprogrammable, in order to update the intrusion detection rules each time a new threat arises, and ii) it must be capable of containing the typically very large set of rules of existing NIDSs. The goal of this paper is to show that reprogrammability can be further exploited to reduce the resource requirements for the chosen platform. Specifically, we propose an FPGA-based solution that classifies and dispatches traffic to elastic buffers, connecting one buffer at a time to a dynamically reconfigurable rule matching core. This core supports only the appropriate subset of detection rules. A worst-case analysis shows that the saving in hardware resources is achieved with a relatively small buffer space, currently available in cheap, low end, FPGA boards, with no impairment on the resulting throughput.