article

Open access

Bit-split string-matching engines for intrusion detection and prevention

Authors:

Brett Brotherton,

Timothy SherwoodAuthors Info & Claims

ACM Transactions on Architecture and Code Optimization (TACO), Volume 3, Issue 1

Pages 3 - 34

https://doi.org/10.1145/1132462.1132464

Published: 01 March 2006 Publication History

Abstract

Network Intrusion Detection and Prevention Systems have emerged as one of the most effective ways of providing security to those connected to the network and at the heart of almost every modern intrusion detection system is a string-matching algorithm. String matching is one of the most critical elements because it allows for the system to make decisions based not just on the headers, but the actual content flowing through the network. Unfortunately, checking every byte of every packet to see if it matches one of a set of thousands of strings becomes a computationally intensive task as network speeds grow into the tens, and eventually hundreds, of gigabits/second. To keep up with these speeds, a specialized device is required, one that can maintain tight bounds on worst-case performance, that can be updated with new rules without interrupting operation, and one that is efficient enough that it could be included on-chip with existing network chips or even into wireless devices. We have developed an approach that relies on a special purpose architecture that executes novel string matching algorithms specially optimized for implementation in our design. We show how the problem can be solved by converting the large database of strings into many tiny state machines, each of which searches for a portion of the rules and a portion of the bits of each rule. Through the careful codesign and optimization of our architecture with a new string-matching algorithm, we show that it is possible to build a system that is 10 times more efficient than the currently best known approaches.

References

[1]

Aho, A. V. and Corasick, M. J. 1975. Efficient string matching: An aid to bibliographic search. Communications of the ACM 18, 6, 333--340.]]

Digital Library

[2]

Aldwairi, M., Conte, T., and Franzon, P. 2004. Configurable string matching hardware for speedup up intrusion detection. In Workshop on Architectural Support for Security and Anti-virus (WASSA) Held in Cooperation with ASPLOS XI.]]

[3]

Baker, Z. K. and Prasanna, V. K. 2004a. A methodology for synthesis of efficient intrusion detection systems on FPGAs. In Proceedings of the Field-Programmable Custom Computing Machines. 135--144.]]

[4]

Baker, Z. K. and Prasanna, V. K. 2004b. Time and area efficient pattern matching on FPGAs. In Proceeding of the 2004 ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays. 223--232.]]

[5]

Baratloo, A., Singh, N., and Tsai, T. 2000. Transparent run-time defense against stack smashing attacks. In Proceedings of the USENIX Security Symposium.]]

[6]

Boyer, R. S. and Moore, J. S. 1977. A fast string searching algorithm. Communications of the ACM 20, 10, 761--772.]]

Digital Library

[7]

Cho, Y. and Mangione-Smith, W. 2004. Deep packet filter with dedicated logic and read only memories. In IEEE Symposium on Field-Programmable Custom Computing Machines.]]

[8]

Cho, Y. H., Navab, S., and Mangione-Smith, W. H. 2002. Specialized hardware for deep network packet filtering. In 12th International Converence on Field-Programmable Logic and Applications.]]

[9]

Clark, C. R. and Schimmel, D. E. 2003. Efficient reconfigurable logic circuits for matching complex network intrusion detection patterns. In Proceedings of the 13th International Conference on Field Programmable Logic and Applications.]]

[10]

Crosby, S. A. and Wallach, D. S. 2003. Denial of service via algorithmic complexity attacks. In Proceedings of USENIX Annual Technical Conference.]]

[11]

Dharmapurikar, S., Attig, M., and Lockwood, J. 2004. Deep packet inspection using parallel bloom filters. Micro, IEEE 24, 1, 52--61.]]

Digital Library

[12]

Fisk, M. and Varghese, G. 2001. Applying fast string matching to intrusion detection. Tech. Rep. In preparation, successor to UCSD TR CS2001-0670, University of California, San Diego.]]

[13]

Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., and Hogsett, V. 2002. Granidt: Towards gigabit rate network intrusion detection technology. In Proceedings of the 12th International Conference on Field-Programmable Logic and Applications. 404--413.]]

[14]

Gupta, P. and McKeown, N. 2001. Algorithms for packet classification. IEEE Network Magazine.]]

[15]

Hutchings, B. L., Franklin, R., and Carver, D. 2002. Assisting network intrusion detection with reconfigurable hardware. In Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines. 111.]]

[16]

IDSmarket. 2004. Intrusion detection/prevention product revenue up 9&percnt; in 1Q04. Infonetics Market Research. Tech. rep. June.]]

[17]

Mai, K., Paaske, T., Jayasena, N., Ho, R., Dally, W., and Horowitz, M. 2000. Smart memories: A modular reconfigurable architecture. In Annual International Symposium on Computer Architecture.]]

[18]

McKenzie, B. J. 1989. Fast peephole optimization techniques. Softw. Pract. Exper. 19, 12, 1151--1162.]]

Digital Library

[19]

Roesch, M. 1999. Snort---lightweight intrusion detection for networks. In Proceedings of LISA'99: 13th Systems Administration Conference. 229--238.]]

[20]

Sanchez, M., Biersack, E., and Dabbous, W. 2001. Survey and taxonomy of IP address lookup algorithms. IEEE Network Magazine 15, 2, 8--23.]]

Digital Library

[21]

Shivakumar, P. and Jouppi, N. 2001. CACTI 3.0: An integrated cache timing, power, and area model. Tech. Rep. WRL-2001-2, HP Labs Technical Reports. Dec.]]

[22]

Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation (OSDI).]]

[23]

Sourdis, I. and Pnevmatikatos, D. 2004. Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In Proceedings of the Field-Programmable Custom Computing Machines. 258--267.]]

[24]

SpamDetection. Commtouch® software ltd. White paper: Recurrent pattern detection (RPD#8482;) technology. http:www.commtouch.com/documents/ Commtouch RPD White Paper.pdf.]]

[25]

Srinivasan, V. and Varghese, G. 1999. Fast address lookups using controlled prefix expansion. ACM Transactions on Computer Systems 7, 1 (Feb.), 1--40.]]

Digital Library

[26]

Swanson, S., Michelson, K., Schwerin, A., and Oskin, M. 2003. Wavescalar. In 36th International Symposium on Microarchitecture.]]

[27]

Tanenbaum, A. S., van Staveren, H., and Stevenson, J. W. 1982. Using peephole optimization on intermediate code. ACM Trans. Program. Lang. Syst. 4, 1, 21--36.]]

Digital Library

[28]

Taylor, M. B., Lee, W., Miller, J., Wentzlaff, D., Bratt, I., Greenwald, B., Henry, Hoffmann, Johnson, P., Kim, J., Psota, J., Saraf, A., Shnidman, N., Strumpen, V., Frank, M., Amarasinghe, S., and Agarwal, A. 2004. Evaluation of the Raw microprocessor: An exposed-wire-delay architecture for ILP and streams. In Annual International Symposium on Computer Architecture.]]

[29]

Tuck, N., Sherwood, T., Calder, B., and Varghese, G. 2004. Deterministic memory-efficient string matching algorithms for intrusion detection. In the 23rd Conference of the IEEE Communications Society (Infocomm).]]

[30]

Xu, J., Kalbarczyk, Z., Patel, S., and Iyer, R. K. 2002. Architecture support for defending against buffer overflow attacks. In Workshop on Evaluating and Architecting Systems for Dependability.]]

Cited By

Hadi HShahzad KAhmed NCao YJaved Y(2023)A Scalable Pattern Matching Implementation on Hardware using Data Level Parallelism2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00354(2530-2537)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00354
Hu ZHasegawa HYamaguchi YShimada H(2023)Realtime Malicious Traffic Detection Targeted for TCP Out-of-Order Packets Based on FPGAIEEE Access10.1109/ACCESS.2023.332385311(112212-112222)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3323853
Wang EXu SChen CKumar N(2021)Neural-Architecture-Search-Based Multiobjective Cognitive Automation SystemIEEE Systems Journal10.1109/JSYST.2020.300242815:2(2918-2925)Online publication date: Jun-2021
https://doi.org/10.1109/JSYST.2020.3002428
Show More Cited By

Index Terms

Bit-split string-matching engines for intrusion detection and prevention
1. Computer systems organization
  1. Embedded and cyber-physical systems
  2. Real-time systems
2. Computing methodologies
  1. Machine learning

Recommendations

A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Architectures for Bit-Split String Scanning in Intrusion Detection

String matching is a critical element of modern intrusion detection systems because it lets a system make decisions based not just on headers, but actual content flowing through the network. Through careful codesign and optimization of an architecture ...
A High Throughput String Matching Architecture for Intrusion Detection and Prevention
ISCA 2005

Network Intrusion Detection and Prevention Systems have emerged as one of the most effective ways of providing security to those connected to the network, and at the heart of almost every modern intrusion detection system is a string matching algorithm. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Architecture and Code Optimization

ACM Transactions on Architecture and Code Optimization Volume 3, Issue 1

March 2006

114 pages

ISSN:1544-3566

EISSN:1544-3973

DOI:10.1145/1132462

Issue’s Table of Contents

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 March 2006

Published in TACO Volume 3, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
1,944
Total Downloads

Downloads (Last 12 months)94
Downloads (Last 6 weeks)18

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hadi HShahzad KAhmed NCao YJaved Y(2023)A Scalable Pattern Matching Implementation on Hardware using Data Level Parallelism2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00354(2530-2537)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00354
Hu ZHasegawa HYamaguchi YShimada H(2023)Realtime Malicious Traffic Detection Targeted for TCP Out-of-Order Packets Based on FPGAIEEE Access10.1109/ACCESS.2023.332385311(112212-112222)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3323853
Wang EXu SChen CKumar N(2021)Neural-Architecture-Search-Based Multiobjective Cognitive Automation SystemIEEE Systems Journal10.1109/JSYST.2020.300242815:2(2918-2925)Online publication date: Jun-2021
https://doi.org/10.1109/JSYST.2020.3002428
Vidanagamachchi SDewasurendra S(2021)A Novel FPGA Architecture of Commentz-Walter Algorithm using Bit-Split String-Matching Engines2021 21st International Conference on Advances in ICT for Emerging Regions (ICter)10.1109/ICter53630.2021.9774805(1-6)Online publication date: 2-Dec-2021
https://doi.org/10.1109/ICter53630.2021.9774805
Kumar SGupta SArora S(2021)Research Trends in Network-Based Intrusion Detection Systems: A ReviewIEEE Access10.1109/ACCESS.2021.31297759(157761-157779)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3129775
Chountasis SPappas DSklavounos D(2020)Network intrusion detection method based on matrix factorization of their time and frequency representationsETRI Journal10.4218/etrij.2019-047643:1(152-162)Online publication date: 12-Oct-2020
https://doi.org/10.4218/etrij.2019-0476
Bontupalli VYakopcic CHasan RTaha T(2018)Efficient Memristor-Based Architecture for Intrusion Detection and High-Speed Packet ClassificationACM Journal on Emerging Technologies in Computing Systems10.1145/326481914:4(1-27)Online publication date: 28-Nov-2018
https://dl.acm.org/doi/10.1145/3264819
Wang XPao D(2018)Memory-Based Architecture for Multicharacter Aho–Corasick String MatchingIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2017.275384326:1(143-154)Online publication date: Jan-2018
https://doi.org/10.1109/TVLSI.2017.2753843
Lee DMatthews OBertacco V(2018)Low-Overhead Microarchitectural Patching for Multicore Memory Subsystems2018 IEEE 36th International Conference on Computer Design (ICCD)10.1109/ICCD.2018.00014(17-25)Online publication date: Oct-2018
https://doi.org/10.1109/ICCD.2018.00014
Yitbarek SYang TDas RAustin TFanucci LTeich J(2016)Exploring specialized near-memory processing for data intensive operationsProceedings of the 2016 Conference on Design, Automation & Test in Europe10.5555/2971808.2972145(1449-1452)Online publication date: 14-Mar-2016
https://dl.acm.org/doi/10.5555/2971808.2972145
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents