-
[show abstract]
[hide abstract]
ABSTRACT: This paper describes a reconfigurable architecture based on field-programmable gate-array (FPGA) technology for monitoring and analyzing network traffic at increasingly high network data rates. Our approach maps the performance-critical tasks of packet classification and flow monitoring into reconfigurable hardware, such that multiple flows can be processed in parallel. We explore the scalability of our system, showing that it can support flows at multi-gigabit rate; this is faster than most software-based solutions where acceptable data rates are typically no more than 100 million bits per second.
IEEE Transactions on Very Large Scale Integration (VLSI) Systems 02/2008; · 1.22 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: Current software implementations of network intrusion detection reach a maximum network connection speed of about 1Gbps (Gigabits
per second). This paper analyses the Snort software network intrusion detection system to highlight the bottlenecks of such
systems. It proposes a novel packet processing engine called UNITE that deploys a uniform hardware architecture to perform
both header classification and payload signature extraction utilising a Content Addressable Memory (CAM) which is optimised
by techniques based on Binary Decision Diagrams (BDDs). The proposed design has been implemented on an XC2VP30 FPGA, and we
achieve an operating frequency of 350MHz and a processing speed in excess of 2.8Gbps. The area resource usage for UNITE is
also shown to be efficient, with a Look Up Tables (LUTs) per character ratio of 0.82 for a rule set of approximately 20,000
characters.
08/2006: pages 389-400;
-
[show abstract]
[hide abstract]
ABSTRACT: String pattern matching is a computationally expensive task, and when implemented in hardware, it can consume a large amount of resources for processing and storage. This paper presents a novel technique, based on a tree-based content addressable memory structure, for a pattern matching engine for use in a hardware-based network intrusion detection system. This technique involves hardware sharing at bit level in order to exploit powerful logic optimisations for multiple strings represented as a boolean expression. Our approach has been used to implement the entire SNORT rule set with around 12% of the area on a Xilinx XC2V80O0 FPGA. The design can run at a rate of approximately 2.5 Gigabits per second, and is approximately 30% smaller in area when compared with published results. The performance of our design can be improved further by having multiple designs operating in parallel.
Field Programmable Logic and Applications, 2005. International Conference on; 09/2005
-
[show abstract]
[hide abstract]
ABSTRACT: Hardware packet-filters for firewalls, based on content-addressable memory (CAM), allow packet matching processes to keep
in pace with network throughputs. However, the size of an FPGA chip may limit the size of a firewall rule set that can be
implemented in hardware. We develop two irregular CAM structures for packet-filtering that employ resource sharing methods,
with various trade-offs between size and speed. Experiments show that the use of these two structures are capable of reduction,
up to 90%, of hardware resources without losing performance.
09/2003: pages 890-899;
-
[show abstract]
[hide abstract]
ABSTRACT: We describe a framework for capturing firewall requirements as high-level descriptions based on the policy specification language Ponder. The framework provides abstraction from hardware implementation while allowing performance control through constraints. Our hardware compilation strategy for such descriptions involves a rule reduction step to produce a hardware firewall rule representation. Three main methods have also been developed for resource optimization: partitioning; elimination; and sharing. A case study involving five sets of filter rules indicates that it is possible to reduce 67-80% of hardware resources over techniques based on regular content-addressable memory, and 24-63% over methods based on irregular content-addressable memory.
Field-Programmable Custom Computing Machines, 2003. FCCM 2003. 11th Annual IEEE Symposium on; 05/2003
-
[show abstract]
[hide abstract]
ABSTRACT: High-performance firewalls can benefit from the increasing size, speed and flexibility of advanced reconfigurable hardware. However direct translation of conventional firewall rules in a router-based rule set often leads to inefficient hardware implementation. Moreover, such lowlevel description of firewall rules tends to be difficult to manage and to extend. We describe a framework, based on the high-level policy specification language Ponder for capturing firewall rules as authorization policies with user-definable constraints. Our framework supports optimisations to achieve efficient utilisation of hardware resources. A pipelined firewall implementation developed using this approach running at 10 MHz is capable of processing 2.5 million packets per second, which provides similar performance to a version without optimisation and is about 50 times faster than a software implementation running on a 700 MHz PIII processor.
Field-Programmable Technology, 2002. (FPT). Proceedings. 2002 IEEE International Conference on; 01/2003
