|
Title:
|
NETWORK INTRUSION DETECTION SYSTEMS ON FPGAS WITH ON-CHIP NETWORK INTERFACES |
|
Author(s):
|
Christopher R. Clark , Craig D. Ulmer |
|
ISBN:
|
972-99353-8-6 |
|
Editors:
|
João M. P. Cardoso |
|
Year:
|
2005 |
|
Edition:
|
Single |
|
Keywords:
|
NIDS, FPGA, Gigabit Ethernet, Pattern Matching. |
|
Type:
|
Workshop Paper |
|
First Page:
|
31 |
|
Last Page:
|
40 |
|
Language:
|
English |
|
Cover:
|
|
|
Full Contents:
|
click to dowload 
|
|
Paper Abstract:
|
Network intrusion detection systems (NIDS) are critical network security tools that help protect distributed computer installations from malicious users. Traditional software-based NIDS architectures are becoming strained as network data rates increase and attacks intensify in volume and complexity. In recent years, researchers have proposed using FPGAs to perform the computationally-intensive components of a NIDS. In this work, we present the next logical step in NIDS architecture: the integration of network interface hardware and packet analysis hardware into a single FPGA chip. This integration allows for better customization of the NIDS as well as a more flexible foundation for network security operations. To demonstrate the benefits of this technique, we have implemented a complete and functional NIDS in a Xilinx Virtex II/Pro FPGA that performs in-line packet filtering on multiple Gigabit Ethernet links using rules from the Snort attack database. |
|
|
|
|
|
|
