| Intrusion Detection System (IDS) acts as the second line of defence after the traditional firewall. As a powerful, dynamic and real-time detection system, it is drawing more and more attention these days. Pattern-Matching is the basic and pivotal technique in IDS, and processing speed of Pattern-Matching Engine (PME) mainly decides the performance of the whole intrusion detection system.After analyzing the structure of IDS, as well as all kinds of software/hardware solutions for fast pattern-matching, two PMEs, which are based on CAM and TCAM, are proposed. (1) Pattern-matching engine using grouping CAM;(2) Pipelined pattern-matching engine.The first PME, pattern-matching engine using grouping CAM, is a universal one. Besides the IDS rules, it also fits pattern-matching for many virus libraries. This engine supports "?" wildcard, "no case" keyword (means either an upper case or a lower case is considered valid), and long-pattern compression. Payload-switching and model-level parallel techniques are also introduced into this engine to improve the throughput.The pipelined pattern-matching engine has even better performance. The memory-cell share method reduces more than 50% CAM cost, which fixed the problem that area and power consumption of CAM are usually too high.These two PMEs can both reach multi-gigabit throughput, which can meet the requirement of high-speed intrusion detection in the network below 10Gbit/s. The essay proposed, in the following section, a pattern-matching system based on these PMEs, and introduced the system architecture, bus structure, data interface, and etc.The most widely-used Snort rules are analyzed in this essay. Implementation of Snort using the proposed PMEs is also discussed. Moreover, protocol analysis and packet-head classification techniques are brought in according to the feature of Snort rules, which can further reduce the power consumption, and improve the system throughput. |
PDF Full Text Request