Skip to main content
Article

Multi-pattern signature matching for hardware network intrusion detection systems

Haoyu SongDepartment of Computer Science and Engineering, Washington University of Saint Louis, USAJohn W. LockwoodDepartment of Computer Science and Engineering, Washington University of Saint Louis, USA
2005en
ABI

Abstract

Network intrusion detection system (NIDS) performs deep inspections on the packet payload to identify, deter and contain the malicious attacks over the Internet. It needs to perform exact matching on multi-pattern signatures in real time. In this paper we introduce an efficient data structure called extended Bloom filter (EBF) and the corresponding algorithm to perform the multi-pattern signature matching. We also present a technique to support long signature matching so that we need only to maintain a limited number of supported signature lengths for the EBFs. We show that at reasonable hardware cost we can achieve very fast and almost time-deterministic exact matching for thousands of signatures. The architecture takes the advantages of embedded multi-port memories in FPGAs and can be used to build a full-featured hardware-based NIDS.

Identifiers

Citations and references

Cited by 20 references