TY - GEN
T1 - Memory-efficient content filtering hardware for high-speed intrusion detection systems
AU - Yi, Sungwon
AU - Kim, Byoung Koo
AU - Oh, Jintae
AU - Jang, Jongsoo
AU - Kesidis, George
AU - Das, Chita R.
PY - 2007
Y1 - 2007
N2 - Content filtering-based Intrusion Detection Systems have been widely deployed in enterprise networks, and have become a standard measure to protect networks and network users from cyber attacks. Although several solutions have been proposed recently, finding an efficient solution is considered as a difficult problem due to the limitations in resources such as a small memory size, as well as the growing link speed. In this paper, we present a novel content filtering technique called Table-driven Bottom-up Tree (TBT), which was designed i) to fully exploit hardware parallelism to achieve real-time packet inspection, ii) to require a small memory for storing signatures, iii) to be flexible in modifying the signature database, and iv) to support complex signature representation such as regular expressions. We configured TBT considering the hardware specifications and limitations, and implemented it using a FPGA. Simulation based performance evaluations showed that the proposed technique used only 350 Kilobytes of memory for storing the latest version of SNORT rule consisting of 2770 signatures. In addition, unlike many other hardware-based solutions, modification to signature database does not require hardware re-compilation in TBT.
AB - Content filtering-based Intrusion Detection Systems have been widely deployed in enterprise networks, and have become a standard measure to protect networks and network users from cyber attacks. Although several solutions have been proposed recently, finding an efficient solution is considered as a difficult problem due to the limitations in resources such as a small memory size, as well as the growing link speed. In this paper, we present a novel content filtering technique called Table-driven Bottom-up Tree (TBT), which was designed i) to fully exploit hardware parallelism to achieve real-time packet inspection, ii) to require a small memory for storing signatures, iii) to be flexible in modifying the signature database, and iv) to support complex signature representation such as regular expressions. We configured TBT considering the hardware specifications and limitations, and implemented it using a FPGA. Simulation based performance evaluations showed that the proposed technique used only 350 Kilobytes of memory for storing the latest version of SNORT rule consisting of 2770 signatures. In addition, unlike many other hardware-based solutions, modification to signature database does not require hardware re-compilation in TBT.
UR - http://www.scopus.com/inward/record.url?scp=35248869164&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=35248869164&partnerID=8YFLogxK
U2 - 10.1145/1244002.1244068
DO - 10.1145/1244002.1244068
M3 - Conference contribution
AN - SCOPUS:35248869164
SN - 1595934804
SN - 9781595934802
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 264
EP - 269
BT - Proceedings of the 2007 ACM Symposium on Applied Computing
PB - Association for Computing Machinery
T2 - 2007 ACM Symposium on Applied Computing
Y2 - 11 March 2007 through 15 March 2007
ER -