João Bispo,

Inesc-ID

Abstract:

Recent intrusion detection systems (IDS) use regular expressions instead of
static patterns as a more efficient way to represent hazardous packet
payload contents. This presentation focuses on regular expressions pattern
matching engines implemented in reconfigurable hardware. We present a
Nondeterministic Finite Automata (NFA) based implementation, which takes
advantage of new basic building blocks to support more complex regular
expressions than the previous approaches. Our methodology is supported by a
tool that automatically generates the circuitry for the given regular
expressions, outputting VHDL representations ready for logic synthesis.
Furthermore, we include techniques to reduce the area cost of our designs
and maximize performance when targeting FPGAs.

Experimental results show that our tool is able to generate a regular
expression engine to match more than 500 IDS regular expressions (from the
Snort ruleset) using only 25K logic cells and achieving 2 Gbps throughput on
a Virtex2 and 2.9 on a Virtex4 device. Concerning the throughput per area
required per matching non-Meta character, our design is 3.4 and 10x more
efficient than previous ASIC and FPGA approaches, respectively.

 

Date: 2006-Nov-25     Time: 14:30:00     Room: sala 1.65, IST, TagusPark.


For more information: