A Highly Compressible Regular Expression Matching Circuit for Network Intrusion Detection Systems: An ECD-NFA approach

Network attacks that flow through network firewalls or network intrusion detection systems (NIDS) are often identifiable by the patterns of data that they contain. The patterns are normally represented by complex regular expressions which are matched at a very high speed. The regular expressions are built into their equivalent automata, using minimal hardware resources in order to detect variations of these patterns. This paper explains the design, structure, and suitability of a hardware-based automata implementation. The approach is based on an input compression technique that uses Equivalence Classification (EC) technique. The technique is used to drive a novel Nondeterministic Finite Automata (NFA) referred to as Equivalence Class Descriptor NFA (ECD-NFA). The ECD-NFA approach creates classes of compressed inputs represented by positive integer values simply referred to as ECDs. The ECDs are class descriptors, which are used as inputs to drive the automata, instead of unclassified raw character-input strings. The ECD-NFA design is built to take advantage of the parallelism provided by Field Programmable Gate Array (FPGA) technology. The design further exploited the FPGA to provide high throughput and support for quick updates. The ECD-NFA design clocks at 460.00 MHz, with a throughput value of 3.68 Gigabits (Gbps). The design incurs very minimal logic circuit cost, and the preliminary results look promising.