The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Design and Implementation of High-Speed Pattern Matcher Using Multi-Entry Simultaneous Comparator in Network Intrusion Detection System

네트워크 침입 탐지 시스템에서 다중 엔트리 동시 비교기를 이용한 고속패턴 매칭기의 설계 및 구현

  • Received : 2015.10.16
  • Accepted : 2015.11.10
  • Published : 2015.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

This paper proposes a new pattern matching module to overcome the increased runtime of previous algorithm using RAM, which was designed to overcome cost limitation of hash-based algorithm using CAM (Content Addressable Memory). By adopting Merge FSM algorithm to reduce the number of state, the proposed module contains state block and entry block to use in RAM. In the proposed module, one input string is compared with multiple entry strings simultaneously using entry block. The effectiveness of the proposed pattern matching unit is verified by executing Snort 2.9 rule set. Experimental results show that the number of memory reads has decreased by 15.8%, throughput has increased by 47.1%, while memory usage has increased by 2.6%, when compared to previous methods.

본 논문은 네트워크 침입 탐지 시스템에서 CAM 및 해시 구조 기반 알고리듬의 비용 한계를 극복하기 위해 RAM을 이용한다. RAM을 이용한 기존 알고리듬의 다중 엔트리 처리 시 실시간 처리속도 지연 문제를 보완한 새로운 패턴 매칭기를 제안한다. 제안된 패턴 매칭기는 Merge FSM 알고리듬을 적용하여 스테이트의 수를 줄이고, RAM을 사용하기 위해 스테이트 블록과 엔트리 블록을 포함한다. 입력된 문자열과 비교할 엔트리문자열이 여러개 존재할 때 엔트리 블록에서 입력된 문자열과 엔트리 문자열들을 동시에 비교한다. 제안된 패턴 매칭기는 Snort 2.9 규칙을 이용하여 검증하였다. 실험결과 기존 탐색 방법과 비교하여 메모리 접근 빈도가 15.8% 감소하였고, 전체 메모리 크기는 2.6% 증가하였으며, 처리속도는 47.1% 증가하였다.

Keywords

References

  1. M. Fisk and G. Varghese, An analysis of fast string matching applied to content-based forwarding and intrusion detection, Technical Report, CS2001-0670, University of California, San Diego, 2002.
  2. J. Choi, J. Park, and M. Kim, "Processing speed improvement of HTTP traffic classification based on hierarchical structure of signature," J. KICS, vol. 39, no. 4, pp. 191-199, Apr. 2014.
  3. K. Shim and S. Yoon, "Automatic generation of snort content rule for network traffic analysis," J. KICS, vol. 40, no. 4, pp. 666-677, Apr. 2015. https://doi.org/10.7840/kics.2015.40.4.666
  4. Retrieved Sept. 3, 2015, from http://www.snort.org
  5. T. Jack, "Intrusion detection using open source tools," Informatica Economica J., vol. 12, no. 2, pp. 75-79, 2008.
  6. Z. Baker and V. Prasanna, "High-throughput linked-pattern matching for intrusion detection systems," in Proc. Symp. ANCS, pp. 193-202, Princeton, NJ, Oct. 2005.
  7. C. Clark and D. Schimmel, "Scalable pattern matching for high speed networks," in Proc. 12th Ann. IEEE Symp. FCCM, pp. 249-257, Napa, CA, Apr. 2004.
  8. B. Hutchings, R. Franklin, and D. Carver, "Assisting network intrusion detection with reconfigurable hardware," in Proc. 10th Annu. IEEE Symp. FCCM, pp. 111-120, Napa, CA, Apr. 2002.
  9. M. Alicheery, M. Muthuprasanna, and V. Kumar, "High speed pattern matching for network IDS/IPS," in Proc. IEEE ICNP, pp. 187-196, Santa Barbara, CA, Nov. 2006.
  10. Y. H. Cho and W. H. Mangione-Smith, "Fast reconfiguring deep packet filter for 1+gigabit network," in Proc. 13th Ann. IEEE Symp. FCCM, pp. 215-224, Napa, CA, Apr. 2005.
  11. Y. H. Cho and W. H. Mangione-Smith, "A pattern matching co-processor for network security," in Proc. 42nd IEEE/ACM Des. Autom. Conf., pp. 234-239, Anaheim, CA, Jun. 2005.
  12. C. Lin, "Efficient pattern matching algorithm for memory architecture," IEEE Trans. VLSI Syst., vol. 19, no. 1, pp. 1-9, Jan. 2011. https://doi.org/10.1109/TVLSI.2009.2029116
  13. Y. Yoon and S. Hwang, "Design and implementation of high-speed pattern matcher in network intrusion detection system," J. KICS, vol. 33, no. 11, pp. 1020-1029, Nov. 2008.
  14. C. Jasmine and T. Latha, "Finite automata in pattern matching for hardware based NIDS applications - A tutorial and survey," Progress in Sci. Eng. Res. J., vol. 2, pp. 351-360. Apr. 2014.
  15. K. Pagiamtzis and A. Sheikholeslami, "Content addressable memory(CAM) circuits and architectures - A tutorial and survey," IEEE J. Solid-state Cir., vol. 41, no. 3, Mar. 2006.
  16. A. Aho and M. Corasick, "Efficient string matching: An aid to bibliographic search," Commun. ACM, vol. 18, pp. 333-340, Jun. 1975. https://doi.org/10.1145/360825.360855
  17. S. Dharmapurikar and J. Lockwood, "Fast and scalable pattern matching for content filtering," in Proc. Symp. Architecture for Netw. Commun. Syst., pp. 183-192, Oct. 2005.
  18. C. Lin, "Accelerating string matching using multi-threaded algorithm on GPU," in Proc. 2010 IEEE Global Telecommun. Conf., pp. 1-5, Miami, FL, Dec. 2010.
  19. C. Lin, "Memory-efficient pattern matching architectures using perfect hashing on graphic processing units" in Proc. IEEE INFOCOM, pp. 1978-1986, Orlando, FL, Mar. 2012.
  20. I. Sourdis and D. Pnevmatikatos, "Pre-decoded CAMs for efficient and high-speed NIDS pattern matching," in Proc. 12th Annu. IEEE Symp. Field Programmable Custom Comput. Machines, pp. 258-217, Napa, CA, Apr. 2004.
  21. F. Yu, R. Katz, and T. Lakshman, "Gigabit rate packet pattern matching using TCAM," in Proc. 12th IEEE Int. Conf. Netw. Protocols, pp. 174-173, Berlin, Germany, Oct. 2004.
  22. L. Ulf, S. Richard, and E. Warnicke, Wireshark User's Guide(2014), Retrieved Nov., 6, 2015, from http://www.wireshark.org

Cited by

  1. Classification and Analysis of Security Techniques for the User Terminal Area in the Internet Banking Service vol.2020, pp.None, 2020, https://doi.org/10.1155/2020/7672941