Hardware Architectures to Accelerate Pattern Matching for Deep Packet Inspection

Description

Network attack happens everyday, everywhere and cause widespread, catastrophic damages. There is a large variety of attacks, e.g. password cracking, session hijacking, sniffer, automated probes/scans, denial of services, distributed attack tools, etc. To combat against sophisticated attacks, a network intrusion detection system (NIDS) needs to analyze not only the packet headers, but also the contents of packet payloads. This process is calleddeep packet inspection. Majority of today’s NIDSs use signature-based detection methods. Packet payloads are checked against predefined signatures in real-time. The NIDS can block suspicious packets, generate alerts and logs for malicious activities that are useful for pursuing the fingerprints of attackers.Snort [27] is an open source NIDS which has established itself as the de facto standard of the industry. There are over 7000 rules defined in the Snort rule set. Deep packet inspection is computation intensive, especially when we need to match the input stream against a large number of patterns. Running Snort (or other software-based NIDS) on today’s PC can barely monitor Internet traffic at a rate up to 400Mbps, which is far below the traffic rate of institutional networks or commercial websites. The network administrator can have two options, (i) turns off a large proportion of the rules; and/or (ii) allows packets to pass through the network without inspection. In either option, network security is compromised.