TY - GEN
T1 - Improved TCAM-based pre-filtering for network intrusion detection systems
AU - Chang, Yeim Kuan
AU - Tsai, Ming Li
AU - Su, Cheng Chien
PY - 2008
Y1 - 2008
N2 - With the increasing growth of the Internet, the explosion of attacks and viruses significantly affects the network security. Network Intrusion Detection System (NIDS) is developed to identify these network attacks by a set of rules. However, searching for multiple patterns is a computationally expensive task in NIDS. Traditional software-based solutions can not meet the high bandwidth demanded in current high-speed networks. In the past, the pre-filtering designed for NIDS is an effective technique that can reduce the processing overhead significantly. A FNPlike TCAM searching engine (FTSE) [5] [6] is an example that uses an 2-stage architecture to detect whether an incoming string contains patterns. In this paper, we propose two techniques to improve the performance of FTSE that utilizes ternary content addressable memory (TCAM) as pre-filter to achieve gigabit performance. The first technique performs the w-byte suffix pattern match instead of using w-byte prefix. The second technique finds the matching results from all groups rather than first group. We Anally present the simulation result using Snort pattern set and DEFCON packet traces.
AB - With the increasing growth of the Internet, the explosion of attacks and viruses significantly affects the network security. Network Intrusion Detection System (NIDS) is developed to identify these network attacks by a set of rules. However, searching for multiple patterns is a computationally expensive task in NIDS. Traditional software-based solutions can not meet the high bandwidth demanded in current high-speed networks. In the past, the pre-filtering designed for NIDS is an effective technique that can reduce the processing overhead significantly. A FNPlike TCAM searching engine (FTSE) [5] [6] is an example that uses an 2-stage architecture to detect whether an incoming string contains patterns. In this paper, we propose two techniques to improve the performance of FTSE that utilizes ternary content addressable memory (TCAM) as pre-filter to achieve gigabit performance. The first technique performs the w-byte suffix pattern match instead of using w-byte prefix. The second technique finds the matching results from all groups rather than first group. We Anally present the simulation result using Snort pattern set and DEFCON packet traces.
UR - http://www.scopus.com/inward/record.url?scp=50249164897&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=50249164897&partnerID=8YFLogxK
U2 - 10.1109/AINA.2008.120
DO - 10.1109/AINA.2008.120
M3 - Conference contribution
AN - SCOPUS:50249164897
SN - 0769530958
SN - 9780769530956
T3 - Proceedings - International Conference on Advanced Information Networking and Applications, AINA
SP - 985
EP - 990
BT - Proceedings - 22nd International Conference on Advanced Information Networking and Applications, AINA 2008
T2 - 22nd International Conference on Advanced Information Networking and Applications, AINA 2008
Y2 - 25 March 2008 through 28 March 2008
ER -