Research Article
A Multiple Regular Expressions Matching Architecture for Network Intrusion Detection System
@INPROCEEDINGS{10.1109/CHINACOM.2008.4685118, author={Wei Zhang and Tian Song and Dongsheng Wang}, title={A Multiple Regular Expressions Matching Architecture for Network Intrusion Detection System}, proceedings={ChinaCom2008-Network and Information Security Symposium}, publisher={IEEE}, proceedings_a={CHINACOM2008-NIS}, year={2008}, month={11}, keywords={pattern matching; regular expression matching; intrusion detection}, doi={10.1109/CHINACOM.2008.4685118} }- Wei Zhang
Tian Song
Dongsheng Wang
Year: 2008
A Multiple Regular Expressions Matching Architecture for Network Intrusion Detection System
CHINACOM2008-NIS
IEEE
DOI: 10.1109/CHINACOM.2008.4685118
Abstract
Regular expressions are increasingly used in network security applications. Multiple regular expressions matching is one of the most important performance bottlenecks in those systems. This paper proposes a new hardware-based multiple regular-expressions matching architecture, called MRM, for network intrusion detection system. It shows that traditional algorithm, such as AC, has to face the serious spatial explosion problem when simultaneously detecting a large number of regular expressions because of constrained repetitions. MRM utilizes hardware RAM modules to share matching signals and exploits hardware register counting to implement constrained repetitions. This paper also proposes a software compiler to construct the hardware architecture and generate information in MRM’s RAMs for the given regular expressions. Experiments in actual snort and bro regular expression sets show that MRM can achieve the high throughput of 2.1Gbps and 2.8Gbps on Virtex2 and Virtex4 devices respectively.