Christopher R. Clark

Scalable pattern matching for high speed networks

In this paper, we present a scalable FPGA design methodology for searching network packet payloads for a large number of patterns, including complex regular expressions. The efficiency of the technique enables a current-generation FPGA device to support pattern-matching at network rates from 1 Gbps to 100 Gbps and beyond. It offers flexible trade-offs between character capacity, throughput, and data bus width and rate. This allows the approach to be used in a wide range of devices from low-end home network appliances to high-end backbone routers. Suitable network applications for the FPGA pattern-matcher include firewalls, network intrusion detection, email virus scanning, and junk-email identification. In this work, we use a standard set of patterns from an intrusion detection system to demonstrate the performance and scalability of our design with a real-world application.

Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns

This paper presents techniques for designing pattern matching circuits for complex regular expressions, such as those found in network intrusion detection patterns. We have developed a pattern-matching co- processor that supports all the pattern matching functions of the Snort rule language (3). In order to achieve maximum pattern capacity and throughput, the design focuses on minimizing circuit area while maintaining high clock speed. Using our approach, we are able to store the entire current Snort rule database consisting of over 1,500 rules and 17,000 characters into a single one- million-gate FPGA while comparing all patterns against traffic at gigabit rates.

A hardware platform for network intrusion detection and prevention

The need for building high-speed NIDS that can reliably generate alerts as intrusions occur and have the intrinsic ability to scale as network infrastructure and attack sophistication evolves has been discussed in this chapter. The key design principles are analyzed and it has been argued that network intrusion-detection functions should be carried out by distributed and collaborative NNIDS at the end hosts. It is shown that an NNIDS running on the network interface instead of the host operating system can provide increased protection, reduced vulnerability to circumvention, and much lower overhead. The chapter also describes the experience in implementing a prototype NNIDS, based on Snort, an Intel IXP 1200, and a Xilinx Virtex-1000 FPGA. These experiments help to identify the performance bottlenecks and give insights on how to improve the design. System stress tests shows that the embedded NNIDS can handle high-speed traffic without packet drops and achieve the same performance as the Snort software running on a dedicated high-end computer system. Ongoing work includes optimizing the performance of NNIDS, developing strategies for sustainable operation of the NNIDS under attacks through adaptation and active countermeasures, studying algorithms for distributed and collaborative intrusion detection, and further developing the analytical models for buffer and processor allocation. Also tested were FPGA pattern-matching designs that approach 10 Gbps throughput with the entire Snort ruleset using a Xilinx Virtex2 device. A better understanding of the design principles and implementation techniques for building high-speed has been provided, along with reliable, and scalable network intrusion detection systems.

A pattern-matching co-processor for network intrusion detection systems

This paper explores the design and analysis of an FPGA module that implements pattern-matching functionality for the network intrusion detection problem. The specific features of the pattern-matcher include support for complex regular expressions and approximate matching with bounded substitutions, insertions, and deletions. A module generator is presented that utilizes non-deterministic finite automata to dynamically create efficient circuits for matching patterns specified with a standard rule language. The logic complexity and performance of the generated circuits is measured and analyzed. Results indicate our techniques yield circuits that are more than twice as dense as other reported designs, while maintaining the throughput necessary for processing at gigabit line speeds and beyond. The FPGA pattern-matching processor is integrated with other hardware and software components to form a complete network intrusion detection system.

An FPGA-based network intrusion detection system with on-chip network interfaces

Network intrusion detection systems (NIDS) are critical network security tools that help protect computer installations from malicious users. Traditional software-based NIDS architectures are becoming strained as network data rates increase and attacks intensify in volume and complexity. In recent years, researchers have proposed using FPGAs to perform the computationally-intensive components of intrusion detection analysis. In this work, we present a new NIDS architecture that integrates the network interface hardware and packet analysis hardware into a single FPGA chip. This integration enables a higher performance and more flexible NIDS platform. To demonstrate the benefits of this technique, we have implemented a complete and functional NIDS in a Xilinx Virtex II Pro FPGA that performs in-line packet analysis and filtering on multiple Gigabit Ethernet links using rules from the open-source Snort attack database.

Modeling the data-dependent performance of pattern-matching architectures

There has been a significant volume of recent work on reconfigurable designs for pattern matching at high data rates with large pattern sets. Although various pattern-matching architectures and implementations have been presented, attempts to compare different designs have been inconclusive, or even misleading, due to variations in testing procedures. There has been no general methodology for analyzing and comparing pattern-matching system design approaches. In this paper, we present a software toolset and an associated methodology that is then used to evaluate pattern-matching circuit performance. This evaluation framework relies on an analytical model of FPGA pattern-matching architectures that quantitatively expresses the relationships between pattern properties, circuit area, and circuit delay. Using our model and toolset, we show how the efficiency and performance of each architecture is dependent on certain properties of the pattern set. A number of experiments are performed to demonstrate that the model does indeed accurately represent the area and delay in FPGA implementations of the given architectures. For several architectures and multiple pattern sets, circuit netlists are generated and then compiled for the Xilinx Virtex II Pro platform. Our results show that pattern set properties such as pattern length and alphabet size impact the circuits of each pattern-matching architecture in markedly different ways. This indicates that useful insights are gained by using this model-based analysis methodology.