Technical Report Number
High-performance intrusion detection and prevention systems are needed by network administrators in order to protect Internet systems from attack. Researchers have been working to implement components of intrusion detection and prevention systems for the highly popular Snort system in reconfigurable hardware. While considerable progress has been made in the areas of string matching and header processing, complete systems have not yet been demonstrated that effectively combine all of the functionality necessary to perform intrusion detection and prevention for real network systems. In this thesis, three architectures to perform rule processing, the heart of intrusion detection and prevention, are presented. The first system, called Snort Lite, implements a subset of the features necessary for rule processing in a single Xilinx Virtex XCV2000E _eld programmable gate array. The second system, called Snort Intrusion Filter for TCP (SIFT), limits the amount of traffic an intrusion detection PC needs to examine by searching for rule criteria. The final architecture presents a framework for implementing the entire rule processing system in reconfigurable hardware. The framework integrates the functionality to scan data flows for regular expressions, _xed strings, and header values. Additional processing modules can be added to the system to perform specific functionality required for some Snort rules. Reconfigurability and flexibility are key features of the system that enable it to adapt to protect Internet systems from threats including malicious worms, computer viruses, and network intruders. The framework allows experimentation with new techniques to perform the functionality required for intrusion systems. Each architecture uses the Field-programmable Port eXtender (FPX) platform to scan all bytes of Transmission Control Protocol/Internet Protocol (TCP/IP) traffic entering and leaving a network's gateway at multi-gigabit rates. The combined circuits perform deep-packet inspection to search for thousands of signatures. The rule processing framework supports up to 32,768 complex rules at data rates of 2.5 Gbps on the FPX platform.
Attig, Michael E., "Architectures for Rule Processing Intrusion Detection and Prevention Systems" Report Number: WUCSE-2005-18 (2005). All Computer Science and Engineering Research.
Permanent URL: http://dx.doi.org/10.7936/K7XG9PHV