Network Intrusion Detection Leveraging Targeted Regular Expressions On FPGAs

<p dir="ltr"><u>Abstract</u></p><p dir="ltr">Current software-based IDS solutions for protecting networks do not scale well to meet the higher linerates of larger enterprise networks such as those at universities. Much of the bottleneck has to do with regular expressions which take the most amount of time to process. While hardware accelerators such as GRAPEFRUIT and HARE exist, they are either too slow or not dense enough to support large rulesets. Pigasus IDS uses an FPGA-based approach to filtering out packets before regex matching but suffers from trace-dependent performance. We present TRex; an FPGA-based IDS that has a filter similar to Pigasus and a custom regular-expression accelerator for this application. TRex only checks regular expressions that are relevant to each packet, allowing it to process packets in parallel on separate rules. Exploiting parallelism in this way allows TRex to support 2x throughput, lessening the demand for software to take over.</p>