1

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS

Author: Tran Ngoc Thinh, Surin Kittitornkun

Publisher: Electronic Design, Test and Application, 2010. DELTA '10. Fifth IEEE International Symposium on

Presenter: Yuen-Shuo Li

Date: 2013/04/09

2

Background

Nowadays, illegal intrusion is one of the most serious threats to network security. Network Intrusion Detection/Prevention Systems (NIDS/NIPSs) are designed to examine not only the headers but also the payload of the packets to match and identify intrusions.

However, checking thousands of patterns to see whether it matches becomes a computationally intensive task as the highest network speed increases to several gigabits per second (Gbps).

3

Introduction

In this paper, we implement a massively parallel architecture of variable-length pattern matching best suited for hardware, naming Cuckoo-based Pattern Matching (CPM).

CPM is the application of a recently developed algorithm called Cuckoo Hashing [12] for pattern matching in NIDS/NIPS.

With the parallel lookup, our improved system is more efficient in terms of performance as applied on hardware. Unlike most previous FPGA-based systems, CPM is also very flexible in terms of update the static pattern set without reconfiguration.

4

Hashing with Chaining

The main idea in hashing based dictionaries is to let the hash functions decide where to store each item.

However, it is highly likely that there will be collisions. An obvious idea is to make a pointer from position a in the array to a data structure holding the set.

5

Cuckoo Hashing

Cuckoo hashing is a scheme for resolving hash collisions of values of hash functions in a table, with worst-case constant lookup time.

The name derives from the behavior of some species of cuckoo, where the cuckoo chick pushes the other eggs or young out of the nest when it hatches; analogously, inserting a new key into a cuckoo hashing table may push an older key to a different location in the table.

6

Cuckoo Hashing(Cont.)

Instead of requiring that x should be stored at position h1(x), we give two alternatives: Position h1(x) and position h2(x).

When inserting a new element x it may of course still happen that there is no space. This is resolved by imitating the nesting habits of the European cuckoo: Throw out the current occupant y of position h1(x) to make room!

7

Cuckoo Hashing(Cont.)

8

FPGA-based Cuckoo Hasing

single-port SRAM

double-port SRAM

9

Cuckoo Hasing - lookup

10

Cuckoo Hasing - insert

11

CPM - Architecture

On Dec 15, 2006, there were 4,748 unique patterns which contain 64,873 characters in Snorts rule set. Fig.5 shows the distribution of the pattern lengths in Snort database of from 1 up to 109 characters. We can see that 65% of total numbers of patterns are up to 16 characters.

12

CPM – Architecture(Cont.)

Therefore, we build the Cuckoo Hashing modules for short patterns which are less than or equal 16 characters according to this fact.

For longer patterns, we can break them into shorter segments so that we can insert those segments to the Cuckoo modules of short patterns.

input: ABCDEFGHIJKLMNOP

ABCDEFGHIJKLMNOP

...ABCDABCABA

13

CPM – Architecture(Cont.)

Shift-Add-XOR(SAX) utilizes only the simple and fast operations of shift, XOR and add.

) + )+

SL and SR: shift left and rightCi :the character ith of stringHi : an intermediate hash value after examination of i characters.

14

CPM – Architecture(Cont.)

input: ABCDEFGHIJKLMNOP

ABCDEFGHIJKLMNOP

...ABCDABCABA

15

CPM – Architecture(Cont.)

16

Performance

17

Performance(Cont.)