Design and Implementation of a Multi-Pattern Matching Circuit for Intrusion Detection Systems

• Main Authors: Szu-Yuan Peng, 彭思淵
• Other Authors: Shao-Wei Leu
• Format: Others
• Language: zh-TW
• Published: 2003
• Online Access: http://ndltd.ncl.edu.tw/handle/85349675616572811987

碩士 === 國立海洋大學 === 電機工程學系 === 91 === 　　The main purpose of an intrusion detection system (IDS) is to monitor the traffics on the network, sniff out malicious activities, block attacks on the computers, and alert the system administrators when necessary. A well-known example of the IDS is Snort, a freeware which uses misuse detection to sense network intrusions. The detection is primarily based on pattern matching for the contents of the incoming packets. A match with any of the predetermined string patterns signifies a potential intrusion attempt. Pattern matching operations are highly CPU-bound and require a large amount of memory accesses. When the network traffic is heavy, a certain amount of packets are likely to elude the screening of Snort. To facilitate the pattern matching operations of an IDS, we propose in this thesis a multi-pattern matching hardware architecture. For performance considerations, we adopt the Aho-Corasick algorithm for pattern matching and use binary search to reduce memory references. The hardware is implemented with a VHDL-based FPGA design flow emphasizing design scalability and reusability. On our current FPGA platform, the circuit operates at a baud rate of 500 kByte/s, which is suitable for most ADSL applications. For high-speed network environments, our design allows easy multiplication into a parallel pattern-matching engine and will be able to provide performance enhancements required for a variety of applications.