此論文提出了用硬體來實現網路入侵偵測系統的電路設計，主要的概念是採用shift-or algorithm，並只使用到shift register, OR gates 和 ROM。 整個電路架構可以把ROM去除來稍作改良。此論文提出的硬體電路已經被驗證模擬及合成於Altera Stratix FPGA。實驗結果顯示出一次處理兩個characters的時候，throughput可到達6.75 Gbits/sec，硬體資源花費0.7 LE/chars。當電路一次處理四個characters的時候，throughput可達到9.2 Gbits/sec，硬體資源花費2.75 LE/chars。跟現有文獻來探討，我們提出的硬體電路可達到較高的throughput跟比較少的硬體資源。

This thesis introduces a novel FPGA based signature match co-processor that can serve as the core of a hardware-based network intrusion detection system (NIDS). The central idea of the signature match coprocessor is an architecture based on the shift-or algorithm, which utilizes simple shift registers, OR gates, and ROMs where patterns are stored. Moreover, the architecture can be improved further by the
removal of the ROM. The proposed architecture has been prototyped, simulated and synthesized by the Altera Stratix FPGA. Experimental results reveal that the circuit with processing two characters at a time attains the throughput up to 6.75 Gbits/sec with area cost of 0.7 logic elements (LEs) per character. The circuit with processing four input characters at a time achieves the throughput up to 9.2 Gbits/sec with area cost of 2.75 LE per character. As compared with related works, experimental results show that the proposed architecture achieves higher throughput and less hardware resource in the FPGA implementations of NIDS.

[1] SNORT official web site. http://www.snort.org.

[2] TriMatrix Embedded Memory Blocks in Stratix & Stratix GX Device, Chapter2 of Stratix Device Family Data Sheet, Vol. II, Altera Coorporation, 2005.
http://www.altera.com/literature/hb/stx/ch 3 vol 2.pdf.

[3] R. Baeza-Tates & G.H. Gonnet. (1992). “A new approach to text searching.”Communications of the ACM, 35, 74–82.

[4] Z.K. Baker & V.K. Prasanna. (2005). “High-throughput Linked-Pattern Matching for Intrusion Detection Systems.” In Proceedings of the 2005 symposium on Architecture for networking and communications systems, 193–202.

[5] C. Clark & D. Schimmel. (2004). “Scalable multi-pattern matching on high-speed networks.” In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, 249–257.

[6] Y. H. Cho & W. H. Mangione-Smith. (2004). “Deep packet filter with dedicated logic and read only memories.” In Proceedings of the IEEE Symposium on Field- Programmable Custom Computing Machines, 125–134.

[7] B. L. Hutchings, R. Franklin & D. Carver. (2002). “Assisting network intrusion detection with reconfigurable hardware.” Proceedings of the IEEE
Symposium on Field-Programmable Custom Computing Machines, 111–120.

[8] M. Gokhale, D. Dubois, A. Dubois, M. Boorman, S. Poole & V.Hogsett. (2002). “Granidt: towards gigabit rate network intrusion detection technology.” Proceedings of the International Conference on Field Programmable
Logic and Application, 404–413.

[9] J. Moscola, J. W. Lockwood, R. P. Loui & M. Pachos. (2003).“Implementation of a content-scanning module for an internet firewall.” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, 31–38.

[10] T. Ramirez & C. D. Lo. (2003). “Rule set decomposition for hardware network intrusion detection.” in the 2004 International Computer Symposium (ICS 2004), 31–38.

[11] J. Singaraju, L. Bu & J. A. Chandy. (2005). “A signature match processor architecture for network intrusion detection.” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, 235–242.

[12] I. Sourdis & D. N. Pnevmatikatos. (2004). “Pre-decoded cams for efficient and high-speed nids pattern matching.” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, 258–267.

[13] Chia-Tien Dan Lo, private discussion.