High Speed Pattern Matching for Network IDS/IPS

Mansoor Alicherry, M. Muthuprasanna, Vijay Kumar
2006 Proceedings of the 2006 IEEE International Conference on Network Protocols  
The phenomenal growth of the Internet in the last decade and society's increasing dependence on it has brought along with it, a flood of security attacks on the networking and computing infrastructure. Intrusion detection and prevention systems provide security defenses against these attacks by monitoring the headers and payload of the packets flowing through the network. Multiple string matching that can compare hundreds of string patterns simultaneously is a critical component of these
more » ... , and is a well-studied problem. Most of the string matching solutions today are based on the classic Aho-Corasick algorithm, which has an inherent limitation; they can process only one input character in one cycle. As the memory speed is not growing at the same pace as the network speed, this limitation has become a bottleneck in the current network, having speeds of tens of gigabits per second. In this paper, we propose a novel multiple string matching algorithm that can process multiple characters at a time thus achieving multi-gigabit rate search speeds. We also propose an architecture for an efficient implementation on TCAMbased hardware. We additionally propose novel optimizations by making use of the properties of TCAMs to significantly reduce the memory requirements of the proposed algorithm. We finally present extensive simulation results of network-based virus/worm detection using real signature databases to illustrate the effectiveness of the proposed scheme.
doi:10.1109/icnp.2006.320212 dblp:conf/icnp/AlicherryMK06 fatcat:tbqqy2xjl5hu7drck3ryo2r6ge