A High-speed Pattern Matching Acceleration System for Network Intrusion Prevention Systems


The KIPS Transactions:PartA, Vol. 12, No. 2, pp. 87-94, Apr. 2005
10.3745/KIPSTA.2005.12.2.87,   PDF Download:

Abstract

Pattern matching is one of critical parts of Network Intrusion Prevention Systems (NIPS) and computationally intensive. To handle a large number of attack signature patterns increasing everyday, a network intrusion prevention system requires a multi pattern matching method that can meet the line speed of packet transfer. In this paper, we analyze Snort, a widely used open source network intrusion prevention/detection system, and its pattern matching characteristics. A multi pattern matching method for NIPS should efficiently handle a large number of patterns with a wide range of pattern lengths and case insensitive patterns matches. It should also be able to process multiple input characters in parallel. We propose a multi pattern matching hardware accelerator based on Shift-OR pattern matching algorithm. We evaluate the performance of the pattern matching accelerator under various assumptions. The performance evaluation shows that the pattern matching accelerator can be more than 80 times faster than the fastest software multi-matching method used in Snort.


Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from September 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
S. I. Kim, "A High-speed Pattern Matching Acceleration System for Network Intrusion Prevention Systems," The KIPS Transactions:PartA, vol. 12, no. 2, pp. 87-94, 2005. DOI: 10.3745/KIPSTA.2005.12.2.87.

[ACM Style]
Sun Il Kim. 2005. A High-speed Pattern Matching Acceleration System for Network Intrusion Prevention Systems. The KIPS Transactions:PartA, 12, 2, (2005), 87-94. DOI: 10.3745/KIPSTA.2005.12.2.87.