As Intrusion Detection Systems (IDS)utilize more complex syntax to efficiently describe complex attacks, their processing requirements increase rapidly. Hardware and, even more, software platforms face difficulties in keeping up with the computationally intensive IDS tasks, and face overheads that can substantially diminish performance.In this paper we introduce a packet pre-filtering approach as a means to resolve, or at least alleviate, the increasing needs of current and future intrusion detection systems. We observe that it is very rare for a single incoming packet to fully or partially match more than a few tens of IDS rules. We capitalize on this observation selecting a small portion from each IDS rule to be matched in the pre-filtering step. The result of this partial match is a small subset of rules that are candidates for a full match. Given this pruned set of rules that can apply to a packet, a second-stage, full-match engine can sustain higher throughput.We use DefCon traces and recent Snort IDS rule-set,and show that matching the header and up to an 8-character prefix for each payload rule on each incoming packet can determine that on average 1.8 rules may apply on each packet, while the maximum number of rules to be checked across all packets is 32. Effectively, packet pre-filtering prevents matching at least 99%of the SNORT rules per packet and as a result minimizes processing and improves the scalability of the system. We also propose and evaluate the cost and performance of a reconfigurable architecture that uses multiple processing engines in order to exploit the benefits of pre-filtering.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	S. Antonatos, M. Polychronakis, P. Akritidis, K. D. Anagnostakis, and E. P. Markatos. Piranha: Fast and memory-efficient pattern matching for intrusion detection.In Proceedings 20th IFIP International Information Security Conference (SEC 2005) May 2005.
	2	Zachary K. Baker , Viktor K. Prasanna, A Methodology for Synthesis of Efficient Intrusion Detection Systems on FPGAs, Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.135-144, April 20-23, 2004
	3	J. Bispo, I. Sourdis, J. M. Cardoso, and S. Vassiliadis. Regular Expression Matching for Reconfigurable Packet Inspection. In IEEE International Conference on Field Programmable Technology (FPT)2006.
	4	Christopher R. Clark , David E. Schimmel, Scalable Pattern Matching for High Speed Networks, Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.249-257, April 20-23, 2004
	5	V. Dimopoulos, G. Papadopoulos, and D. Pnevmatikatos. On the importance of header classification in hw/sw network intrusion detection systems. In Proceedings of the 10th Panhel lenic Conference on Informatics (PCI)November 11-13, 2005.
	6	Mike Fisk , George Varghese, Fast Content-Based Packet Handling for Intrusion Detection, University of California at San Diego, La Jolla, CA, 2001
	7	B. L. Hutchings , R. Franklin , D. Carver, Assisting Network Intrusion Detection with Reconfigurable Hardware, Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.111, September 22-24, 2002
	8	E. Markatos, S. Antonatos, M. Polyhronakis, and K. G. Anagnostakis. Exclusion-based signature matching for intrusion detection. In Proceedings of the IASTED International Conference on Communications and Computer Networks (CCN) pages 146--152, November 2002.
	9	James Moscola , John Lockwood , Ronald P. Loui , Michael Pachos, Implementation of a Content-Scanning Module for an Internet Firewall, Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.31, April 09-11, 2003
	10	G. Papadopoulos and D. Pnevmatikatos. Hashing + Memory =Low Cost, Exact Pattern Matching. In Proceedings of 15th International Conference on Field Programmable Logic and Applications 2005.
	11	Reetinder Sidhu , Viktor K. Prasanna, Fast Regular Expression Matching Using FPGAs, Proceedings of the the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.227-238, April 29-May 02, 2001  [doi>10.1109/FCCM.2001.22]
	12	SNORT official web site.http://www.snort.org.
	13	Haoyu Song , John W. Lockwood, Efficient packet classification for network intrusion detection using FPGA, Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays, February 20-22, 2005, Monterey, California, USA  [doi>10.1145/1046192.1046223]
	14	Sourcefire. Snort rule optimizer. In www.sourcefire.com/whitepapers/sf snort20 ruleop.pdf June 2002.
	15	Ioannis Sourdis , Dionisios Pnevmatikatos, Pre-Decoded CAMs for Efficient and High-Speed NIDS Pattern Matching, Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.258-267, April 20-23, 2004
	16	I. Sourdis, D. Pnevmatikatos, S. Wong, and S. Vassiliadis. A Reconfigurable Perfect-Hashing Scheme for Packet Inspection. In Proceedings of 15th Int. Conf. on Field Programmable Logic and Applications 2005.
	17	The Shmoo Group: the Capture the Flag Data. http://cctf.shmoo.com/.