Self-addressable memory-based FSM: a scalable intrusion detection engine

One way to detect and thwart a network attack is to compare each incoming packet with predefined patterns, also called an attack pattern database, and raise an alert upon detecting a match. This article presents a novel pattern-matching engine that exploits a memory-based, programmable state machine...

Full description

Saved in:
Bibliographic Details
Published in:IEEE network 2009-01, Vol.23 (1), p.14-21
Main Authors: Soewito, B., Vespa, L., Mahajan, A., Ning Weng, Haibo Wang
Format: Article
Language:English
Subjects:
Automata
Coding
Doped fiber amplifiers
Engines
Finite state machines
Hardware
Intrusion
Intrusion detection
Labels
Networks
Pattern matching
Reconfigurable logic
State machines
Throughput
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:One way to detect and thwart a network attack is to compare each incoming packet with predefined patterns, also called an attack pattern database, and raise an alert upon detecting a match. This article presents a novel pattern-matching engine that exploits a memory-based, programmable state machine to achieve deterministic processing rates that are independent of packet and pattern characteristics. Our engine is a self-addressable memory-based finite state machine (SAMFSM), whose current state coding exhibits all its possible next states. Moreover, it is fully reconfigurable in that new attack patterns can be updated easily. A methodology was developed to program the memory and logic. Specifically, we merge "non-equivalent" states by introducing "super characters" on their inputs to further enhance memory efficiency without adding labels. SAM-FSM is one of the most storage-efficient machines and reduces the memory requirement by 60 times. Experimental results are presented to demonstrate the validity of SAM-FSM.
ISSN:0890-8044
1558-156X
DOI:10.1109/MNET.2009.4804319