A Method of Generating Highly Efficient String Matching Circuit for Intrusion Detection

This paper proposes a method of generating a lightweight scalable NFA-based string matching circuit with elimination of redundant resources. String matching circuits have been studied extensively for intrusion detection systems. An NFA-based string matching circuit, one of the works, has expandability of the processing data width. Due to the huge hardware requirement, it was difficult to implement an NFA-based string matching circuit with the whole Snort 2.3.3 rule (35461 characters) that processes at 10 Gbps on a single FPGA. To reduce the circuit area, we eliminate redundant states of the NFA with the Aho-Corasick approach and redundant AND-gates in the NFA. Consequently, our method reduces the resource requirements by over 50% as compared with previous NFA-based circuits, and the synthesis result shows that a matching circuit that includes the whole Snort 2.3.3 rule can be implemented onto a single Xilinx Virtex-II pro xc2vp-100 with throughput over 10 Gbps