I nternational Journal Of Computational Engineering Research (ijceronline.com) Vol. 3 Issue.1
Memory Efficient Bit Split Based Pattern Matching For Network Intrusion Detection System 1,
Borra Sudhakiran, 2,G.Nalini 1,
M.Tech student, 2,Asst. Professor Lenora College of Eng ineering , Rampachodavaram,E.G,Dt.,India
1,2,
Abstract: In recent days hardware based Network intrusion detection system is used to inspect packet contents against thousands of pre defined malicious or suspicious patterns I order to support the high speed internet download. Because traditional software alone pattern matching approaches can no longer meet the high throughput of today‟s networking, many hardware approaches are proposed to accelerate pattern matching. A mong hardware approaches, memo ry-based architecture has attracted a lot of attention because of its easy reconfigurability and scalability. In order to accommodate the increasing number of attack patterns and meet the throughput requirement of networks, a successful network intrusion detection system must have a memory -efficient pattern-matching algorith m and hardware design. In this paper, we propose a memory-efficient pattern-matching algorith m wh ich can significantly reduce the memory requirement. Here we propose bit split based pattern matching which will match more pattern as compared to any ASCII value based matching.
1. Introduction Network Intrusion Detection Systems (NIDS) perfo rm deep packet inspection. They scan packe t‟s payload looking fo r patterns that would indicate security threats. Matching every incoming byte, though, against thousands of pattern characters at wire rates is a complicated task. Measurements on SNORT show that 31% of total processing is due to string matching; the percentage goes up to 80% in the case of Web -intensive traffic [20]. So, string matching can be considered as one of the most computationally intensive parts of a NIDS and in this thesis we focus on payload matching.Many different algorithms or comb ination of algorith ms have been introduced and implemented in general purpose processors (GPP) for fast string matching[16, 20, 42, 35, 3, 2], using mostly SNORT open source NIDS rule -set [38, 41]. However, intrusion detection systems running in GPP can only serve up to a few hundred Mbps throughput. Therefore, seeking for hardware -based solutions is possibly the only way to increase performance for speeds higher than a few hundred Mbps. Until now several ASIC co mmercial products have been deve loped [31, 30, 27,28, 29, 32]. These systems can support high throughput, but constitute a relatively expensive solution. On the other hand, FPGA -based systems provide higher flexibility and comparable to ASICs performance. FPGA -based platforms can explo it the fact that the NIDS rules change relatively infrequently, and use reconfiguration to reduce imp lementation cost. In addition, they can exploit parallelis m in order to achieve satisfactory processing throughput. Several architectures have been proposed for FPGA-based NIDS, using regular expressions (NFAs/DFAs) [40, 34, 36, 22, 14, 15], CAM [23], discrete comparators [13, 12, 7, 6, 5, 43, 44], and approximate filtering techniques [4, 18]. Generally, the performance results of FPGA systems are promising, showing that FPGAs can be used to support the increasing needs for network security. FPGAs are flexib le, reconfigurable, prov ide hardware speed, and therefore, are suitable for imp lementing such systems. On the other hand, there are several issues that should be faced. Large designs are complex and therefore hard to operate at high frequency. Additionally, matching a large number of pat -terns has high area cost, so sharing logic is crit ical, since it could save a significant amount of resou rces, and make designs smaller and faster. 2. Software-Based Packet Inspection Network Intrusion Detection Systems (NIDS) attempt to detect attacks by monitoring in -co ming traffic for suspicious contents. They collect data from network, monitor activ it y across network, analyze packets, and report any intrusive behavior in an automated fashion. Intrusion detection systems use advanced pattern matching techniques (i.e. Boyer and Moore, Aho and Corasick, Fisk and Varghese) on network packets to identify kn own attacks. They use simple rules (or search patterns) to identify possible security threats, much like v irus detection software, and report offending packets to the admin istrators for further actions. NIDSs should be updated frequently, since new signatu res may be added or others may change on a weekly basis. A. SNORT RUL E: SNORT is an open-source NIDS that has been extensively used. Based on a rule database, SNORT monitors network traffic and detect intrusion events. Many researchers developed string matching algorith ms, combination of algorith ms and techniques such as pre-filtering in order to improve SNORT‟s performance. SNORT rule can contain header and content fields. The header part checks the protocol, and source and destination IP address a nd port. The content part scans packets payload for one or more patterns. The matching pattern may be in ASCII, HEX or mixed format. HEX parts are between vertical bar sy mbols „j‟. An example of a SNORT rule is: ||Issn 2250-3005(online)||
||January || 2013
Page 22