A memory-based NFA regular expression match engine for signature-based intrusion detection |
| |
| Authors: | Derek Pao Nga Lam Or Ray C.C. Cheung |
| |
| Affiliation: | 1. 28th Institute, China Electronics Technology Group Corporation, Nanjing 210007, China;2. Department of Computer Science and Technology, Xi’an Jiao Tong University, Xi’an 710049, China;3. Department of Surveying and Geoinformatics, Tongji University, Shanghai 200092, China |
| |
| Abstract: | Signature-based intrusion detection is required to inspect network traffic at wire-speed. Matching packet payloads against patterns specified with regular expression is a computation intensive task. Hence, the design of hardware accelerator to speed up regular expression matching has been an active research area. A systematic approach to detect regular expression is based on finite automaton. The space-time trade-off between deterministic finite automaton (DFA) and non-deterministic finite automaton (NFA) is well-known. DFA can offer constant throughput but it may suffer from the state explosion problem. Hence, implementation of DFA for large pattern sets on embedded device with limited on-chip memory may not be viable. NFA requires linear space but the throughput can be very low. Implementations of NFA with hardwired circuits can overcome the speed deficiency by exploiting the massive parallelism offered by dedicated hardware circuitries, but this approach does not support efficient dynamic updates. In this paper, we shall present a memory-based architecture for the implementation of NFA to speed up regular expression matching for signature-based intrusion detection. The proposed method supports dynamic updates and offers constant throughput so that it can be used to supplement the existing DFA-based methods in handling large pattern sets. |
| |
| Keywords: | Signature-based intrusion detection Regular expression matching Non-deterministic finite automaton Memory-based architecture |
| 本文献已被 ScienceDirect 等数据库收录! |
|
