Multi-pattern signature matching for hardware network intrusion detection systems

Author

Song, Haoyu ; Lockwood, John W.

Author_Institution

Dept. of Comput. Sci. & Eng., Washington Univ., St. Louis, MO, USA

Volume

3

fYear

2005

fDate

28 Nov.-2 Dec. 2005

Abstract

Network intrusion detection system (NIDS) performs deep inspections on the packet payload to identify, deter and contain the malicious attacks over the Internet. It needs to perform exact matching on multi-pattern signatures in real time. In this paper we introduce an efficient data structure called extended Bloom filter (EBF) and the corresponding algorithm to perform the multi-pattern signature matching. We also present a technique to support long signature matching so that we need only to maintain a limited number of supported signature lengths for the EBFs. We show that at reasonable hardware cost we can achieve very fast and almost time-deterministic exact matching for thousands of signatures. The architecture takes the advantages of embedded multi-port memories in FPGAs and can be used to build a full-featured hardware-based NIDS.

Keywords

Internet; data structures; field programmable gate arrays; handwriting recognition; nonlinear filters; pattern matching; security of data; FPGA; Internet; data structure; extended Bloom filter; hardware network intrusion detection systems; malicious attacks; multipattern signature matching; packet payload; time-deterministic exact matching; Costs; Data structures; Hardware; IP networks; Information filtering; Information filters; Inspection; Intrusion detection; Matched filters; Payloads;

fLanguage

English

Publisher

ieee

Conference_Titel

Global Telecommunications Conference, 2005. GLOBECOM '05. IEEE

Print_ISBN

0-7803-9414-3

Type

conf

DOI

10.1109/GLOCOM.2005.1577937

Filename

1577937