by Zachary K. Baker, Viktor K. Prasanna
http://gridsec.usc.edu/files/TR/zbakerUSCtvlsi_v2.pdf
Add To MetaCart
Abstract:
Pattern matching for network security and intrusion detection demands exceptionally high performance. This paper describes a novel systolic array-based string matching architecture using a buffered, two-comparator variation of the Knuth-Morris-Pratt (KMP) algorithm. The architecture compares favorably with the state-of-the-art hardwired designs while providing on-the-fly reconfiguration, efficient hardware utilization, and high clock rates. KMP is a well-known, computationally-efficient string matching technique that uses a single comparator and a precomputed transition table. Through the use of the transition table, the number of redundant comparisons performed is reduced. Through various algorithmic changes, we enable KMP to be used in hardware, providing the computational efficiency of the serial algorithm and the high throughput of a parallel hardware architecture. The efficiency of the system allows for a faster and denser implementation than any other RAM-based exact match system. We add a second comparator and an input buffer, then prove that the modified algorithm can function efficiently implemented as an element of a systolic array. The system can accept at least one character in each cycle, while guaranteeing that the stream will never stall. In this paper, we prove the bound on the buffer size and running time of the systolic array, discuss the architectural considerations involved in the FPGA implementation, and provide performance comparisons against other approaches.
Citations
|
5825
|
Introduction to Algorithms
– Cormen, Leiserson, et al.
- 1992
|
|
246
|
Retiming synchronous circuitry
– Leiserson, Saxe
- 1991
|
|
70
|
Fast Regular Expression Matching using FPGAs
– Sidhu, Prasanna
- 2001
|
|
60
|
M.: Implementation of a ContentScanning Module for an Internet Firewall
– Moscola, Lockwood, et al.
- 2003
|
|
50
|
D.: Assisting Network Intrusion Detection with Reconfigurable Hardware
– Hutchings, Franklin, et al.
- 2002
|
|
39
|
The Open Source Network Intrusion Detection System. http://www. snort.org
– Snort
|
|
31
|
V.K.: A Methodology for the Synthesis of Efficient Intrusion Detection Systems on FPGAs. Accepted for publication at FCCM ’04
– Baker, Prasanna
- 2004
|
|
29
|
W.H.: Deep Packet Filter with Dedicated Logic and Read Only Memories
– Cho, Mangione-Smith
- 2004
|
|
29
|
Specialized hardware for deep network packet filtering
– Cho, Nahab, et al.
- 2002
|
|
28
|
V.K.: Time and Area Efficient Pattern Matching on FPGAs
– Baker, Prasanna
- 2004
|
|
28
|
V.: Granidt: Towards Gigabit Rate Network Intrusion Detection
– Gokhale, Dubois, et al.
- 2002
|
|
25
|
String matching on multicontext fpgas using self-reconfiguration
– Sidhu, Mei, et al.
- 1999
|
|
21
|
Dynamic Scheduling of Tasks on Partially Reconfigurable FPGAs
– Diessel, ElGindy, et al.
- 2000
|
|
18
|
D.E.: Scalable Parallel Pattern Matching on High Speed Networks
– Clark, Schimmel
- 2003
|
|
12
|
Automatic Synthesis of Efficient Intrusion Detection Systems on FPGAs
– Baker, Prasanna
- 2004
|
|
12
|
Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System
– Fast
- 2003
|
|
10
|
Dynamic Reconfiguration: Architectures and Algorithms
– Vaidyanathan, Trahan
- 2003
|
|
8
|
Implementation of a Deep Packet Inspection Circuit using Parallel Bloom Filters in Reconfigurable Hardware
– Dharmapurikar, Krishnamurthy, et al.
- 2003
|
|
6
|
A Methodology for the Synthesis of Efficient Intrusion Detection Systems on FPGAs
– Sourdis, Pnevmatikatos
- 2004
|
|
5
|
Flow monitoring in highspeed networks with 2D hash tables,” Field Program
– Nguyen, Zambreno, et al.
- 2004
|
|
5
|
Exploring Area/Delay Tradeoffs in an AES FPGA Implementation
– Zambreno, Nguyen, et al.
- 2004
|
|
3
|
Network security: it's time to take it seriously
– Dowd, McHenry
|
|
2
|
Automated Incremental Design of Flexible Intrusion Detection Systems on FPGAs
– Baker, Prasanna
- 2004
|
