Publication detail

Intrusion Detection System Intended for Multigigabit Networks

KOŘENEK, J. KOBIERSKÝ, P.

Original Title

Intrusion Detection System Intended for Multigigabit Networks

English Title

Intrusion Detection System Intended for Multigigabit Networks

Type

conference paper

Language

en

Original Abstract

Network intrusion detection systems (IDS) are becoming an important tool for securing critical information and infrastructure. Current software-based IDS often fails to keep up with high-speed network links so a hardware based IDS is requested. This paper deals with design and implementation of complete hardware accelerated IDS solution based on Field-Programmable Gate Array (FPGA). Core generator for automatic mapping of IDS rules to FPGA logic was designed to assure fast packet classification and high speed pattern matching. Proposed architecture has been evaluated on a COMBO6X card with FPGA Virtex-II Pro. Using COMBO6X card theoretical throughput 6.4~Gbps was achieved for all Snort rules. The designed system can be configured by rules described in Snort format using web interface.

English abstract

Network intrusion detection systems (IDS) are becoming an important tool for securing critical information and infrastructure. Current software-based IDS often fails to keep up with high-speed network links so a hardware based IDS is requested. This paper deals with design and implementation of complete hardware accelerated IDS solution based on Field-Programmable Gate Array (FPGA). Core generator for automatic mapping of IDS rules to FPGA logic was designed to assure fast packet classification and high speed pattern matching. Proposed architecture has been evaluated on a COMBO6X card with FPGA Virtex-II Pro. Using COMBO6X card theoretical throughput 6.4~Gbps was achieved for all Snort rules. The designed system can be configured by rules described in Snort format using web interface.

Keywords

Traffic Scanner, Snort, IDS, pattern matching

RIV year

2007

Released

24.08.2007

Publisher

IEEE Computer Society

Location

Krakow

ISBN

978-1-4244-1161-0

Book

2007 IEEE Design and Diagnostics of Electronic Circuits and Systems

Pages from

361

Pages to

364

Pages count

4

BibTex


@inproceedings{BUT28816,
  author="Jan {Kořenek} and Petr {Kobierský}",
  title="Intrusion Detection System Intended for Multigigabit Networks",
  annote="Network intrusion detection systems (IDS) are becoming an important tool for
securing critical information and infrastructure. Current software-based IDS
often fails to keep up with high-speed network links so a hardware based IDS is
requested. This paper deals with design and implementation of complete hardware
accelerated IDS solution based on Field-Programmable Gate Array (FPGA). Core
generator for automatic mapping of IDS rules to FPGA logic was designed to assure
fast packet classification and high speed pattern matching. Proposed architecture
has been evaluated on a COMBO6X card with FPGA Virtex-II Pro. Using COMBO6X card
theoretical throughput 6.4~Gbps was achieved for all Snort rules. The designed
system can be configured by rules described in Snort format using web interface.",
  address="IEEE Computer Society",
  booktitle="2007 IEEE Design and Diagnostics of Electronic Circuits and Systems",
  chapter="28816",
  howpublished="print",
  institution="IEEE Computer Society",
  year="2007",
  month="august",
  pages="361--364",
  publisher="IEEE Computer Society",
  type="conference paper"
}