this memory core, five random-memory locations are readable in a single clock cycle. So performing 35 concurrent memory operations requires seven parallel memory cores, each with one-seventh of the required array size, as Figure 5b illustrates. Because the basic Bloom filter allows any hash function to map to any bit in the vector, it is possible that for some member, more than five hash functions map to the same memory segment, thereby exceeding the lookup capacity of this memory core. We can solve this problem by restricting the range of each hash function to a given memory, preventing memory contention

Intrusion detection for network security is a computation intensive application demanding high system performance. System level design, a relatively unexplored field in this area, allows more efficient communication and extensive reuse of hardware components for dramatic increases in area-time performance. By applying optimization strategies to the entire database, we reduce hardware requirements compared to architectures designed with single pattern matchers in mind. We present a methodology for system-wide integration of graph-based partitioning of large intrusion detection pattern databases. Integrating ruleset-based graph creation and min-cut partitioning, our methodology allows efficient multi-byte comparisons and partial matches for high performance FPGA-based network security. Through pre-processing, this methodology yields designs with competitive clock frequencies that are a minimum of 8x more area efficient than previous nonpredecoded shift-and-compare architectures. 1

Abstract. This paper presents techniques for designing pattern matching circuits for complex regular expressions, such as those found in network intrusion detection patterns. We have developed a pattern-matching coprocessor that supports all the pattern matching functions of the Snort rule language [3]. In order to achieve maximum pattern capacity and throughput, the design focuses on minimizing circuit area while maintaining high clock speed. Using our approach, we are able to store the entire current Snort rule database consisting of over 1,500 rules and 17,000 characters into a single onemillion-gate FPGA while comparing all patterns against traffic at gigabit rates. 1

Network intrusion detection systems (NIDS) are becoming an important tool for protecting critical information and infrastructure. The quality of a NIDS is described by the percentage of true attacks detected combined with the number of false alerts. However, even a high-quality NIDS algorithm is not effective if its processing cost is too high, since the resulting loss of packets increases the probability that an attack is not detected. This study measures and compares two major components of the NIDS processing cost on a number of diverse systems to pinpoint performance bottlenecks and to determine the impact of operating system and architecture differences. Results show that even on moderate-speed networks, many systems are inadequate as NIDS platforms. Performance depends not only on the processor performance, but to a large extent also on the memory system. Recent trends in processor microarchitecture towards deep pipelines have a negative impact on the systems NIDS capabilities, and multiprocessor architectures usually do not lead to significant performance improvements. Overall, these results provide valuable guidelines for NIDS developers and adopters for choosing a suitable platform, and highlight the need to consider processing cost when developing and evaluating NIDS techniques.

In this paper we advocate the use of pre-decoding for CAM-based pattern matching. We implement an FPGA based sub-system for NIDS (Snort) pattern matching using a combination of techniques. First, we reduce the area cost of character matching using (i) character pre-decoding before they are compared in the CAM line, and (ii) efficient shift register implementation using the SRL16 Xilinx cell. Second we achieve high operating frequencies by (iii) using fine grain pipelining for faster circuits and (iv) decoupling the data distribution network from the processing components. Our results show that for matching more than 18,000 characters (the entire SNORT rule set) our implementation requires an area cost of less than 1.1 logic cells per matched character, achieving an operating frequency of about 375 MHz (3 Gbps) on a Virtex2 device. When using quad parallelism to increase the matching throughput, the area cost of a single matched character is reduced to less than one logic cell for a throughput of almost 10 Gbps.

The current generation of centralized network intrusion detection systems (NIDS) have various limitations on their performance and effectiveness. In this paper, we argue that intrusion detection analysis should be distributed to network node IDS (NNIDS) running in hardware on the end hosts. An NNIDS can unambiguously inspect traffic to and from the host, and when implemented on the network interface hardware, can function independently of the host operating system to provide better protection with less overhead than software implementations. We discuss the computation and communication characteristics of typical software intrusion detection analysis tasks. Then, we describe our efforts in mapping these tasks to a hardware platform using COTS components including Intel IXP network processors and Xilinx Virtex FPGAs. We report the performance of our prototype NNIDS implementation and provide analysis on how the network processor architecture affects the performance. Our results show that the NNIDS can achieve high performance with a pipeline of processing stages and careful allocation of tasks to the most appropriate hardware resources. 1.

This paper presents a methodology and a tool for automatic synthesis of highly efficient intrusion detection systems using a high-level, graph-based partitioning methodology and tree-based lookahead architectures. Intrusion detection for network security is a compute-intensive application demanding high system performance. The tools implement and automate a customizable flow for the creation of efficient Field Programmable Gate Array (FPGA) architectures using system-level optimizations. Our methodology, implemented with a tool suite we release for public use, allows for customized performance through more efficient communication and extensive reuse of hardware components for dramatic increases in area-time performance.

Abstract. The constant increase in link speeds and number of threats poses challenges to network intrusion detection systems (NIDS), which must cope with higher traffic throughput and perform even more complex per-packet processing. In this paper, we present an intrusion detection system based on the Snort open-source NIDS that exploits the underutilized computational power of modern graphics cards to offload the costly pattern matching operations from the CPU, and thus increase the overall processing throughput. Our prototype system, called Gnort, achieved a maximum traffic processing throughput of 2.3 Gbit/s using synthetic network traces, while when monitoring real traffic using a commodity Ethernet interface, it outperformed unmodified Snort by a factor of two. The results suggest that modern graphics cards can be used effectively to speed up intrusion detection systems, as well as other systems that involve pattern matching operations. Key words: GPU, pattern matching, intrusion detection systems, network security,

The use of reconfigurable hardware for network security applications has recently made great strides as Field-Programmable Gate Array (FPGA) devices have provided larger and faster resources. The performance of an Intrusion Detection System is dependent on two metrics: throughput and the total number of patterns that can fit on a device. In this paper, we consider the FPGA implementation details of the bit-split string-matching architecture. The bitsplit algorithm allows large hardware state machines to be converted into a form with much higher memory efficiency. We extend the architecture to satisfy the requirements of the IDS state-of-the-art. We show that the architecture can be effectively optimized for FPGA implementation. We have optimized the pattern memory system parameters and developed new interface hardware for communicating with an external controller. The overall performance (bandwidth * number of patterns) is competitive with other memory-based string matching architectures implemented in FPGA.

Modern Network Intrusion Detection Systems (NIDS) inspect the network packet payload to check if it conforms to the security policies of the given network. This process, often referred to as deep packet inspection, involves detection of predefined signature strings or keywords starting at an arbitrary location in the payload. String matching is a computationally intensive task and can become a potential bottleneck without high-speed processing. Since the conventional software-implemented string matching algorithms have not kept pace with the increasing network speeds, special purpose hardware solutions have been introduced.