Signature-based network intrusion detection systems (NIDSs), such as Snort and Bro, rely on a rule database that describes traffic patterns for known attacks. They examine each packets flowing through a network segment and report suspicious packets to assure security. An attack signature may be represented in terms of fields in a packet such as source/destination IP addresses, source/destination ports, protocols, specific contents in payload, etc. Typically, a Perl Compatible Regular Expression (PCRE) is used to describe a specific content in the payload which may identify an attack. Our study shows that over 60% of the execution time in an NIDS is found to perform string comparisons against a signature database of over 5,950 tokens and over 1,763 PCREs. This paper proposes to extend a bit-parallel algorithm to support multi-byte processing and PCRE. This design takes a segment of bytes from the payload of a packet and detects all possible tokens including those crossing text segment boundaries. A tool is designed to generate VHDL code from a rule set automatically. Performance results are reported.
With their expressiveness and simplicity, Perl compatible regular expressions (PCREs) have been adopted in mainstream signature based network intrusion detection systems (NIDSs) to describe known attack signatures, especially for polymorphic worms. NIDSs rely on an underlying string matching engine that simulates PCREs to inspect each network packet. PCRE is a superset of traditional regular expressions, and provides advanced features. However, this pattern matching becomes a performance bottleneck of software-based NIDSs, causing a big portion of their execution time to be dedicated to payload inspection, which results in an unacceptable packet drop rate. The penetration of these unexamined packets creates a security hole in such systems. Over the past decade, hardware acceleration for the pattern matching has been studied extensively and a marginal performance has been achieved. Among hardware approaches, FPGA-based acceleration engines provide great flexibility because new signatures can be compiled and programmed into their reconfigurable architecture. As more and more malicious signatures are discovered, it becomes harder to map a complete set of malicious signatures specified in PCREs to an FPGA chip. One of the space consuming components is the counter used in the constrained repetitions for PCREs. Therefore, we propose a space efficient SelectRAM counter for PCREs that use counting. The design takes advantage of the basic components contained in a configurable logic block, and thus optimizes space usage. A set of basic PCRE blocks has been built in hardware to implement PCREs. Experimental results show that the proposed scheme outperforms existing designs by at least fivefold.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.