High-Speed Signature Matching in Network Interface Device using Bloom Filters

TL;DR

This paper introduces a programmable Ethernet interface card utilizing Bloom filters to efficiently offload signature matching tasks, significantly enhancing high-speed network intrusion detection performance.

Contribution

It presents a novel hardware design that leverages Bloom filters for rapid signature matching, reducing packet loss and improving detection efficiency in high-speed networks.

Findings

Enhanced detection ratio due to hardware offloading

Reduced packet loss at high packet rates

Improved system performance and efficiency

Abstract

Network intrusion detection systems play a critical role in protecting the information infrastructure of an organization. Due to the sophistication and complexity of techniques used for the analysis they are commonly based on general-purpose workstations. Although cost-efficient, these general-purpose systems are found to be inadequate as they are unable to perform efficiently at high packet rates. The resulting packet loss degrades the system's overall effectiveness, as the analyzing capability of the system is reduced. It has been found that the performance of these sensors can be improved significantly by filtering out unwanted packets. This paper presents the design of a Programmable Ethernet Interface Card that is used to offload signature matching from software and thereby improve the detection ratio and performance of the system.