Efficient Packet Matching for Gigabit Network Intrusion Detection using TCAMs

1
Efficient Packet Matching for Gigabit Network
Intrusion Detection using TCAMs
Authors Ming Gao, Kenong Zhang, Jiahua Lu (??
????) Publisher Proceedings of the 20th
International Conference on Advanced Information
Networking and Applications (AINA06) Present
Kuan-Ying Ho(???) Date 2006/11/09(Thu.)
Department of Computer Science and Information
Engineering National Cheng Kung University,
Taiwan R.O.C.
2
Outline

• 1. Introduction
• 2. Related works
• 3. Proposed schemes
• 4. Analysis
• 5. Conclusion

3
NIDS

• Network intrusion detection systems
• Saving time is important for prevention,
  especially when the network is under the attacks
  from new worms
• Software based NIDS is poor too handle high speed
  network today, such as the Gigabit Ethernet and
  ATM network
• exSnort
• Has more than 2000 signatures and nearly 300
  header rules
• In fact, SNORT system on software can handle link
  rates no more than 100Mbps2 under normal
  traffic links

4
Outline

• 1. Introduction
• 2. Related works
• 3. Proposed schemes
• 4. Analysis
• 5. Conclusion

5
Methods of NIDS

• Software-based
• Single pattern matching O(k(mn))
• Knuth-Morris-Pratt (KMP), Boyer-Moore (BM)
• Multi-pattern matching O(n)
• Aho-Corasick (AC), Commentz-Walter (CW)
• FPGA-based
• reach very high throughout speeds
• cost too many hardware resources

6
(No Transcript)
7
TCAM-based Methods

• O(1)
• This paper focus on using of the widely-adopted
  first-match TCAM
• Problems
• TCAM can not directly used to scan payload for
  the CIDs of long patterns
• It turns out space inefficiency when header
  patterns with range fields of ports are stored in
  TCAM

8
Outline

• 1. Introduction
• 2. Related works
• 3. Proposed schemes
• 4. Analysis
• 5. Conclusion

9
Long pattern problem

• TCAM can not directly used to scan payload for
  the CIDs of long patterns
• In the current state of arts, the width of TCAMs
  is no more than 64 bytes
• The length of SNORT signature set is 122 bytes
  now.
• Using cascade TCAMs solution

10
cascade TCAMs architechure

• P1 ABCDEFG gt p11ABCD p12EFG
• P2 EFGHIJKLAB gt p21EFGH p22IJKL
  p23LAB

11
Payload contents matching engine

• In TCAM_1, one long pattern may have several
  possible combinations of Pij which will occupy
  several entries in TCAM_2.

12
Solution for range matching
13
(No Transcript)
14
(No Transcript)
15
Header rules matching engine

• k sub-tables could make k couples of ports ranges
  read out in O (1) time in parallel.

16
Outline

• 1. Introduction
• 2. Related works
• 3. Proposed schemes
• 4. Analysis
• 5. Conclusion

17
(No Transcript)
18
Outline

• 1. Introduction
• 2. Related works
• 3. Proposed schemes
• 4. Analysis
• 5. Conclusion

19
Conclusion

• Payload contents matching engine
• Can handle tens of thousands of signatures, with
  thousands of bytes length each.
• For current SNORT signature set it can perform
  multi-pattern matching at rates of 2Gbps (one
  single set of engine).
• Header rules matching engine
• Can perform the packet classification task for
  current SNORT header rules at the rate of up to
  250 Mpps in theory