Rule Set Decomposition for Hardware Network Intrusion Detection

Abstract

This paper describes the work being done to minimize hardware requirements for a hardware-assisted Network Intrusion Detection System(NIDS). This system will use a core Intrusion Detection System(IDS) in a distributed manner. The distribution is beneficial for two reasons. First, the system will not have a single point at which an attacker can direct attack traffic for the purpose of overloading the IDS. Second, due to the number of attacks and corresponding signatures it is not feasible to design a system using programmable hardware that reconnizes all signatures. The NIDS Snort will be augmented by passing the packet matching function to a Field Programmabe Gate Array(FPGA). Snort's rule set consists of tens of hundard of "signatures" and is decomposed to minimize the capacity of FPGAs necessary to implement the entire rule set. The circuit is based on a Finite Automaton where each character represents a state. First, the rules are broken down to common groups that share similar characters. These groups are then used to decompose the entire rule set into logical sets whose patterns can be matched with a simple string matching circuit. After reducing the rule set by taking advantage of character repetition we are left with about 51% of the states necessary to match all of the patterns. This state reduction translates to a smaller circuit used to match all of the patterns and the circuit can be implemented in as few devices as possible.