Deep Packet Filter with Dedicated Logic and Read Only Memories

Citations Over TimeTop 1% of 2004 papers

Abstract

Searching for multiple string patterns in a stream of data is a computationally expensive task. The speed of the search pattern module determines the overall performance of deep packet inspection firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). For example, one open source IDS configured for 845 patterns, can sustain a throughput of only 50 Mbps running on a dual 1-GHz Pentium III system. Using such systems would not be practical for filtering high speed networks with over 1 Gbps traffic. Some of these systems are implemented with field programmable gate arrays (FPGA) so that they are fast and programmable. However, such FPGA filters tend to be too large to be mapped on to a single FPGA. By sharing the common sublogic in the design, we can effectively shrink the footprint of the filter. Then, for a large subset of the patterns, the logic area can be further reduced by using a memory based architecture. These design methods allow our filter for 2064 attack patterns to map onto a single Xilinx Spartan 3-XC3S2000 FPGA with a filtering rate of over 3 Gbps of network traffic.

Related Papers

• Pentium processor system architecture(1993)
• → How we made the Pentium processors(2019)2 cited
• Microprosesor Intel: 8086/8088, 80186/80188, 80286, 80386, 80486, Pentium, Pentium Pro Prosesor, Pentium II, Pentium III, Pentium 4= Arsitektur, Pemograman, Dan Antarmuka (Jiilid 2)(2005)
• → Assembly Language Programming with the Pentium: Part 1(2008)