TriBiCa: Trie bitmap content analyzer for high-speed network intrusion detection

N. Sertac Artan, H. Jonathan Chao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Deep packet inspection (DPI) is often used in network intrusion detection and prevention systems (NIDPS), where incoming packet payloads are compared against known attack signatures. Processing every single byte in the incoming packet payload has a very stringent time constraint, e.g., 200 ps for a 40-Gbps line. Traditional DPI systems either need a large memory space or use special memory such as ternary content addressable memory (TCAM), limiting parallelism, or yielding high cost/power consumption. In this paper, we present a high-speed, single-chip DPI scheme that is scalable and configurable through memory updates. The scheme is based on a novel data structure called TriBiCa (Trie Bitmap Content Analyzer), which provides minimal perfect hashing functionality. It uses a trie structure with a hash function performed at each layer. Branching is determined by the hashing results with an objective to evenly partition attack signatures into multiple groups at each layer. During a query, as an input traverses the trie, an address to a table in the memory that stores all attack signatures is formed and is used to access the signature for an exact match. Due to the small space required, multiple copies of TriBiCa can be implemented on a single chip to perform pipelining and parallelism simultaneously, thus achieving high throughput. We have designed the TriBiCa on a modest FPGA chip, Xilinx Virtex II Pro, achieving 10-Gbps throughput without using any external memory. A proof-of-concept design is implemented and tested with 1-Gbps packet streams. By using today's state-of-the-art FPGAs, a throughput of 40 Gbps is believed to be achievable.

Original languageEnglish (US)
Title of host publicationProceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications
Pages125-133
Number of pages9
DOIs
StatePublished - 2007
EventIEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications - Anchorage, AK, United States
Duration: May 6 2007May 12 2007

Other

OtherIEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications
CountryUnited States
CityAnchorage, AK
Period5/6/075/12/07

Fingerprint

HIgh speed networks
Intrusion detection
Data storage equipment
Inspection
Throughput
Field programmable gate arrays (FPGA)
Associative storage
Hash functions
Data structures
Electric power utilization
Processing
Costs

Keywords

  • Minimal perfect hashing
  • NIDPS
  • TriBiCa

ASJC Scopus subject areas

  • Hardware and Architecture
  • Electrical and Electronic Engineering

Cite this

Sertac Artan, N., & Chao, H. J. (2007). TriBiCa: Trie bitmap content analyzer for high-speed network intrusion detection. In Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications (pp. 125-133). [4215605] https://doi.org/10.1109/INFCOM.2007.23

TriBiCa : Trie bitmap content analyzer for high-speed network intrusion detection. / Sertac Artan, N.; Chao, H. Jonathan.

Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications. 2007. p. 125-133 4215605.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Sertac Artan, N & Chao, HJ 2007, TriBiCa: Trie bitmap content analyzer for high-speed network intrusion detection. in Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications., 4215605, pp. 125-133, IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications, Anchorage, AK, United States, 5/6/07. https://doi.org/10.1109/INFCOM.2007.23
Sertac Artan N, Chao HJ. TriBiCa: Trie bitmap content analyzer for high-speed network intrusion detection. In Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications. 2007. p. 125-133. 4215605 https://doi.org/10.1109/INFCOM.2007.23
Sertac Artan, N. ; Chao, H. Jonathan. / TriBiCa : Trie bitmap content analyzer for high-speed network intrusion detection. Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications. 2007. pp. 125-133
@inproceedings{17f1b259b9564f639f91551e5c9c53a4,
title = "TriBiCa: Trie bitmap content analyzer for high-speed network intrusion detection",
abstract = "Deep packet inspection (DPI) is often used in network intrusion detection and prevention systems (NIDPS), where incoming packet payloads are compared against known attack signatures. Processing every single byte in the incoming packet payload has a very stringent time constraint, e.g., 200 ps for a 40-Gbps line. Traditional DPI systems either need a large memory space or use special memory such as ternary content addressable memory (TCAM), limiting parallelism, or yielding high cost/power consumption. In this paper, we present a high-speed, single-chip DPI scheme that is scalable and configurable through memory updates. The scheme is based on a novel data structure called TriBiCa (Trie Bitmap Content Analyzer), which provides minimal perfect hashing functionality. It uses a trie structure with a hash function performed at each layer. Branching is determined by the hashing results with an objective to evenly partition attack signatures into multiple groups at each layer. During a query, as an input traverses the trie, an address to a table in the memory that stores all attack signatures is formed and is used to access the signature for an exact match. Due to the small space required, multiple copies of TriBiCa can be implemented on a single chip to perform pipelining and parallelism simultaneously, thus achieving high throughput. We have designed the TriBiCa on a modest FPGA chip, Xilinx Virtex II Pro, achieving 10-Gbps throughput without using any external memory. A proof-of-concept design is implemented and tested with 1-Gbps packet streams. By using today's state-of-the-art FPGAs, a throughput of 40 Gbps is believed to be achievable.",
keywords = "Minimal perfect hashing, NIDPS, TriBiCa",
author = "{Sertac Artan}, N. and Chao, {H. Jonathan}",
year = "2007",
doi = "10.1109/INFCOM.2007.23",
language = "English (US)",
isbn = "1424410479",
pages = "125--133",
booktitle = "Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications",

}

TY - GEN

T1 - TriBiCa

T2 - Trie bitmap content analyzer for high-speed network intrusion detection

AU - Sertac Artan, N.

AU - Chao, H. Jonathan

PY - 2007

Y1 - 2007

N2 - Deep packet inspection (DPI) is often used in network intrusion detection and prevention systems (NIDPS), where incoming packet payloads are compared against known attack signatures. Processing every single byte in the incoming packet payload has a very stringent time constraint, e.g., 200 ps for a 40-Gbps line. Traditional DPI systems either need a large memory space or use special memory such as ternary content addressable memory (TCAM), limiting parallelism, or yielding high cost/power consumption. In this paper, we present a high-speed, single-chip DPI scheme that is scalable and configurable through memory updates. The scheme is based on a novel data structure called TriBiCa (Trie Bitmap Content Analyzer), which provides minimal perfect hashing functionality. It uses a trie structure with a hash function performed at each layer. Branching is determined by the hashing results with an objective to evenly partition attack signatures into multiple groups at each layer. During a query, as an input traverses the trie, an address to a table in the memory that stores all attack signatures is formed and is used to access the signature for an exact match. Due to the small space required, multiple copies of TriBiCa can be implemented on a single chip to perform pipelining and parallelism simultaneously, thus achieving high throughput. We have designed the TriBiCa on a modest FPGA chip, Xilinx Virtex II Pro, achieving 10-Gbps throughput without using any external memory. A proof-of-concept design is implemented and tested with 1-Gbps packet streams. By using today's state-of-the-art FPGAs, a throughput of 40 Gbps is believed to be achievable.

AB - Deep packet inspection (DPI) is often used in network intrusion detection and prevention systems (NIDPS), where incoming packet payloads are compared against known attack signatures. Processing every single byte in the incoming packet payload has a very stringent time constraint, e.g., 200 ps for a 40-Gbps line. Traditional DPI systems either need a large memory space or use special memory such as ternary content addressable memory (TCAM), limiting parallelism, or yielding high cost/power consumption. In this paper, we present a high-speed, single-chip DPI scheme that is scalable and configurable through memory updates. The scheme is based on a novel data structure called TriBiCa (Trie Bitmap Content Analyzer), which provides minimal perfect hashing functionality. It uses a trie structure with a hash function performed at each layer. Branching is determined by the hashing results with an objective to evenly partition attack signatures into multiple groups at each layer. During a query, as an input traverses the trie, an address to a table in the memory that stores all attack signatures is formed and is used to access the signature for an exact match. Due to the small space required, multiple copies of TriBiCa can be implemented on a single chip to perform pipelining and parallelism simultaneously, thus achieving high throughput. We have designed the TriBiCa on a modest FPGA chip, Xilinx Virtex II Pro, achieving 10-Gbps throughput without using any external memory. A proof-of-concept design is implemented and tested with 1-Gbps packet streams. By using today's state-of-the-art FPGAs, a throughput of 40 Gbps is believed to be achievable.

KW - Minimal perfect hashing

KW - NIDPS

KW - TriBiCa

UR - http://www.scopus.com/inward/record.url?scp=34548300090&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34548300090&partnerID=8YFLogxK

U2 - 10.1109/INFCOM.2007.23

DO - 10.1109/INFCOM.2007.23

M3 - Conference contribution

SN - 1424410479

SN - 9781424410477

SP - 125

EP - 133

BT - Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications

ER -