The sophistication and complexity of analysis performed by today's network intrusion prevention systems (IPSs) benefits greatly from implementation using general-purpose CPUs. Yet the performance of such CPUs increasingly lags behind that necessary to process today's high-rate traffic streams. A key observation, however, is that much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as "likely uninteresting." To this end, we have developed an in-line, FPGA-based IPS ac-celerator, the Shunt, using the NetFPGA2 platform. The Shunt functions as the forwarding device used by the IPS; it alone processes the bulk of the traffic, offloading the memory bus and leaving the CPU free to inspect the subset of the traffic deemed germane for security analysis. To do so, the Shunt maintains several large state tables indexed by packet header fields, including IP/TCP flags, source and destination IP addresses, and connection tuples. The tables yield decision values the element makes on a packet-by-packet basis: forward the packet, drop it, or divert it through the IPS. By manipulating table entries, the IPS can specify the traffic it wishes to examine, directly block malicious traffic, and "cut through" traffic streams once it has had an opportunity to "vet" them, all on a fine-grained basis. We base our design on a novel series of caches, with a "fail safe" miss policy, coupled to a host PC to handle both cache management and higher level IPS analysis. The design requires only 2 MB of SRAM for its extensive caches, and can sup-port four Gbps Ethernets on a single Virtex 2 Pro 30.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	R. Anderson, E. Biham, and L. Knudsen. Serpent: A proposal for the advanced encryption standard. @@@ Nick, how published?
	2	Michael Attig , John Lockwood, SIFT: Snort Intrusion Filter for TCP, Proceedings of the 13th Symposium on High Performance Interconnects, p.121-127, August 17-19, 2005  [doi>10.1109/CONECT.2005.33]
	3	Burton H. Bloom, Space/time trade-offs in hash coding with allowable errors, Communications of the ACM, v.13 n.7, p.422-426, July 1970  [doi>10.1145/362686.362692]
	4	Martin Casado, Tal Garfinkel, Aditya Akella, Michale Freedman, Dan Boneh, and Nick McKeown. SANE: A protection architecture for enterprise networks. In USENIX Security, 2006.
	5	Scott Crosby and Dan Wallach. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th USENIX Security Symposium, August 2003.
	6	Mark Crovella, Performance Evaluation with Heavy Tailed Distributions, Revised Papers from the 7th International Workshop on Job Scheduling Strategies for Parallel Processing, p.1-10, June 16, 2001
	7	Mark E. Crovella , Azer Bestavros, Self-similarity in World Wide Web traffic: evidence and possible causes, ACM SIGMETRICS Performance Evaluation Review, v.24 n.1, p.160-169, May 1996
	8	The deter security testbed, http://www.deterlab.net.
	9	Jose Maria Gonzalez , David Wagner, Efficient filtering support for high-speed network intrusion detection, University of California at Berkeley, Berkeley, CA, 2005
	10	National Laboratory for Applied Network Research, Distributed Applications Support Team, Iperf, the TCP/UDP Bandwidth Measurement Tool. http://dast.nlanr.net/projects/iperf/.
	11	Robert Morris , Eddie Kohler , John Jannotti , M. Frans Kaashoek, The Click modular router, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.217-231, December 12-15, 1999, Charleston, South Carolina, United States
	12	Nicholas Weaver and Stuart Staniford and Vern Paxson. Very fast containment of scanning worms. In 13th USENIX Security Symposium. USENIX, August 2004.
	13	Vern Paxson, Empirically derived analytic models of wide-area TCP connections, IEEE/ACM Transactions on Networking (TON), v.2 n.4, p.316-336, Aug. 1994  [doi>10.1109/90.330413]
	14	Vern Paxson , Sally Floyd, Wide area traffic: the failure of Poisson modeling, IEEE/ACM Transactions on Networking (TON), v.3 n.3, p.226-244, June 1995  [doi>10.1109/90.392383]
	15	Ronald L. Rivest. The RC5 encryption algorithm, from Dr. Dobb's Journal, January, 1995, 1996.
	16	Ronald L. Rivest, M. J. B. Robshaw, R. Sidney, and Y. L. Yin. The RC6 block cipher. @@@ Nick, how published?
	17	Lambert Schaelicke , Kyle Wheeler , Curt Freeland, SPANIDS: a scalable network intrusion detection loadbalancer, Proceedings of the 2nd conference on Computing frontiers, May 04-06, 2005, Ischia, Italy  [doi>10.1145/1062261.1062314]
	18	David Schuehler and John Lockwood. A modular system for fpga-based tcp flow processing in high-speed networks. In FPL, 2004.
	19	André Seznec, A case for two-way skewed-associative caches, Proceedings of the 20th annual international symposium on Computer architecture, p.169-178, May 16-19, 1993, San Diego, California, United States
	20	Haoyu Song , Sarang Dharmapurikar , Jonathan Turner , John Lockwood, Fast hash table lookup using extended bloom filter: an aid to network processing, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
	21	Haoyu Song , John W. Lockwood, Efficient packet classification for network intrusion detection using FPGA, Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays, February 20-22, 2005, Monterey, California, USA  [doi>10.1145/1046192.1046223]
	22	Haoyu Song, Todd Sproull, Mike Attig, and John Lockwood. Snort offloader: A reconfigurable hardware NIDS filter.
	23	Ioannis Sourdis and Dionisios Pnevmatikatos. Fast, large-scale string match for a 10 Gbps FPGA-based network intrusion detection system.
	24	Greg Watson, Nick McKeown, and Martin Casado. Netfpga: A tool for network research and education. In 2nd workshop on Architectural Research using FPGA Platforms (WARFP), 2006.
	25	Nicholas Weaver, Dan Ellis, Stuart Staniford, and Vern Paxson. Worms verses perimiters: The case for Hard LANs. In Hot Interconnects 12, August 2004.
	26	Nicholas Weaver, Vern Paxson, and Robin Sommer. Bro-LAN pervasive network inspection and control for LAN traffic. Work in progress, 2006.
	27	Walter Willinger , Vern Paxson , Murad S. Taqqu, Self-similarity and heavy tails: structural modeling of network traffic, A practical guide to heavy tails: statistical techniques and applications, Birkhauser Boston Inc., Cambridge, MA, 1998
	28	Walter Willinger , Murad S. Taqqu , Robert Sherman , Daniel V. Wilson, Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level, IEEE/ACM Transactions on Networking (TON), v.5 n.1, p.71-86, Feb. 1997  [doi>10.1109/90.554723]