TriBiCa: Trie bitmap content analyzer for high-speed network intrusion detection

被引:11
作者
Artan, N. Sertac [1 ]
Chao, H. Jonathan [1 ]
机构
[1] Polytech Univ, ECE Dept, 6 Metrotech Ctr, Brooklyn, NY 11201 USA
来源
INFOCOM 2007, VOLS 1-5 | 2007年
关键词
TriBiCa; NIDPS; minimal perfect hashing;
D O I
10.1109/INFCOM.2007.23
中图分类号
TM [电工技术]; TN [电子技术、通信技术];
学科分类号
0808 ; 0809 ;
摘要
Deep packet inspection (DPI) is often used in network intrusion detection and prevention systems (NIDPS), where incoming packet payloads are compared against known attack signatures. Processing every single byte in the incoming packet payload has a very stringent time constraint, e.g., 200 ps for a 40-Gbps line. Traditional DPI systems either need a large memory space or use special memory such as ternary content addressable memory (TCAM), limiting parallelism, or yielding high cost/power consumption. In this paper, we present a highspeed, single-chip DPI scheme that is scalable and configurable through memory updates. The scheme is based on a novel data structure called TriBiCa (Trie Bitmap Content Analyzer), which provides minimal perfect hashing functionality. It uses a trie structure with a hash function performed at each layer. Branching is determined by the hashing results with an objective to evenly partition attack signatures into multiple groups at each layer. During a query, as an input traverses the trie, an address to a table in the memory that stores all attack signatures is formed and is used to access the signature for an exact match. Due to the small space required, multiple copies of TriBiCa can be implemented on a single chip to perform pipelining and parallelism simultaneously, thus achieving high throughput. We have designed the TriBiCa on a modest FPGA chip, Xilinx Virtex 11 Pro, achieving 10-Gbps throughput without using any external memory. A proof-of-concept design is implemented and tested with I-Gbps packet streams. By using today's state-of-the-art FPGAs, a throughput of 40 Gbps is believed to be achievable.
引用
收藏
页码:125 / +
页数:2
相关论文
共 24 条
[1]   EFFICIENT STRING MATCHING - AID TO BIBLIOGRAPHIC SEARCH [J].
AHO, AV ;
CORASICK, MJ .
COMMUNICATIONS OF THE ACM, 1975, 18 (06) :333-340
[2]  
ANAGNOSTAKIS K, 2003, P 18 IFIP INT INF SE
[3]  
ARTAN NS, IN PRESS INT J SECUR
[4]  
BAKER ZK, P 1 ANN ACM S ARCH N
[5]   SPACE/TIME TRADE/OFFS IN HASH CODING WITH ALLOWABLE ERRORS [J].
BLOOM, BH .
COMMUNICATIONS OF THE ACM, 1970, 13 (07) :422-&
[6]  
BURNS C, 2006, VENDORS CHOOSE TOUT
[7]  
Cho YH, 2005, ANN IEEE SYM FIELD P, P215
[8]   Scalable pattern matching for high speed networks [J].
Clark, CR ;
Schimmel, DE .
12TH ANNUAL IEEE SYMPOSIUM ON FIELD-PROGRAMMABLE CUSTOM COMPUTING MACHINES, PROCEEDINGS, 2004, :249-257
[9]  
Cormen T. H., 2001, Introduction to Algorithms, V2nd
[10]  
DHARMAPURIKAR S, 2005, S ARCH NETW COMM SYS