Signature-based network intrusion detection systems (NIDSs), such as Snort and Bro, rely on a rule database that describes traffic patterns for known attacks. They examine each packets flowing through a network segment and report suspicious packets to assure security. An attack signature may be represented in terms of fields in a packet such as source/destination IP addresses, source/destination ports, protocols, specific contents in payload, etc. Typically, a Perl Compatible Regular Expression (PCRE) is used to describe a specific content in the payload which may identify an attack. Our study shows that over 60% of the execution time in an NIDS is found to perform string comparisons against a signature database of over 5,950 tokens and over 1,763 PCREs. This paper proposes to extend a bit-parallel algorithm to support multi-byte processing and PCRE. This design takes a segment of bytes from the payload of a packet and detects all possible tokens including those crossing text segment boundaries. A tool is designed to generate VHDL code from a rule set automatically. Performance results are reported.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.