1 Computers and Security, 2010 (Elsevier Journal) Efficient Hardware Support for Pattern Matching in Network Intrusion Detection Nitesh B. Guinde and Sotirios G. Ziavras Electrical and Computer Engineering Department New Jersey Institute of Technology, Newark, NJ 07102, USA Abstract— Deep packet inspection forms the backbone of any Network Intrusion Detection (NID) system. It involves matching known malicious patterns against the incoming traffic payload. Pattern matching in software is prohibitively slow in comparison to current network speeds. Due to the high complexity of matching, only FPGA (Field-Programmable Gate Array) or ASIC (Application-Specific Integrated Circuit) platforms can provide efficient solutions. FPGAs facilitate target architecture specialization due to their field programmability. Costly ASIC designs, on the other hand, are normally resilient to pattern updates. Our FPGA-based solution performs high-speed pattern matching while permitting pattern updates without resource reconfiguration. To its advantage, our solution can be adopted by software and ASIC realizations, however at the expense of much lower performance and higher price, respectively. Our solution permits the NID system to function while pattern updates occur. An off-line optimization method first finds common sub- patterns across all the patterns in the SNORT database of signatures [14]. A novel technique then compresses each pattern into a bit vector, where each bit represents such a sub-pattern. This approach reduces drastically the required on-chip storage as well as the complexity of pattern matching. The bit vectors for newly discovered patterns can be generated easily using a simple high-level language program before storing them into the on-chip RAM. Compared to earlier approaches, not only is our strategy very efficient while supporting runtime updates but it also results in impressive area savings; it utilizes just 0.052 logic cells for processing and 17.77 bits for storage per character in the current SNORT database of 6455 patterns. Also, the total number of logic cells for processing the traffic payload does not change with pattern updates. Keywords— Field-Programmable Gate Array (FPGA), Pattern Matching, Network Intrusion Detection (NID), SNORT database. 1. Introduction There have been many computer network attacks in recent times which were difficult to detect based only on packet header inspection. Deep packet inspection of the payload is needed to detect any application level attack. In the area of NID systems, new vulnerabilities are identified on a daily basis and appropriate rules are developed for defense. These rules may represent either new signatures or changes to existing ones. From October 2007 to August 2008, 1348 new SNORT rules were added while 8170 rules were updated (on a daily or weekly basis). The most recent 2.8 version of July 29th, 2009 contains 15,730 rules that involve 6455 distinct patterns of sequential characters; our evaluation uses this version of SNORT. It becomes obvious that robust NID systems should handle pattern updates (including additions, deletions and editions) without taking them off-line. Signature matching is also relevant to virus detection techniques that look for the presence of specific command sequences (of cha- racters) inside a program [19]. Although we focus on pattern matching for NID, our approach can be extended for virus detection as well where new signatures are added almost daily.