Parallel and Distributed Processing Symposium, International (2008)
Miami, FL, USA
Apr. 14, 2008 to Apr. 18, 2008
Alex K. Jones , University of Pittsburgh, USA
Raymond R. Hoare , Concurrent EDA, LLC, USA
Ying Yu , Marvell Semiconductor, USA
Many telecommunications devices such as network switches contain content addressable memories (CAMs) for uses such as routing tables. CAMs, a class of associative memories, contain considerable logic for various forms of content matching and can be considered a class of reconfigurable logic engines. This paper demonstrates how a commercial ternary CAM and traditional RAM can be used with minimal additional logic to implement over 90% of the Snort 2.0 intrusion detection system (IDS) at line speeds of or exceeding 1 Gbs. In addition to simple matching techniques, sophisticated matching operations required by Snort can be implemented by levering an iterative approach that leverages a post processing action RAM. Additionally, a novel range encoding algorithm allows range matching required in the CAM for which other encodings either exceed the width provided by a CAM entry, or require excessive number of CAM entries to be scalable. The system was implemented for verification and performance evaluation in cycle accurate simulation using SystemC.
Alex K. Jones, Raymond R. Hoare, Ying Yu, "A CAM-based intrusion detection system for single-packet attack detection", Parallel and Distributed Processing Symposium, International, vol. 00, no. , pp. 1-8, 2008, doi:10.1109/IPDPS.2008.4536531