|
Author(s): |
Brendan Cronin, Network Processing Group, RINCE, School of Electronic Engineering, Dublin City University, Ireland
Xiaojun Wang, Network Processing Group, RINCE, School of Electronic Engineering, Dublin City University, Ireland |
|
Abstract: |
Multi-match packet classification is the first stage in Network Intrusion Detection Systems where it is followed by Deep Packet Inspection performed on the matching rules. The most commonly proposed solutions to multi-match classification are TCAM based and, as a result, suffer from several disadvantages such as higher cost, energy consumption, and circuit board area. This paper investigates alternative algorithmic solutions that can use SRAM in place of TCAM. We adapt a number of well known single-match packet classification algorithms and compare their multi-match classification performance in terms of memory requirements, energy consumption and packet processing speed. Finally we compare these with two existing multi-match solutions. We conclude that bit vector based architectures perform well thanks to the extensive overlap between the header sections of typical NIDS rule sets which allows significant compression of the number of rule headers.
|