Efficient long signature matching for gigabit intrusion detection sensors

Network Intrusion Detection Systems (NIDS) require the sensors to inspect the packet payloads at line rates. However, the software-only NIDS can not handle the large signature set with thousands of patterns of different lengths at line rates. Ternary content-addressable memories (TCAMs) have gained wide acceptance in the industry for storing and searching patterns in routers. But one important problem blocked the way to deploy TCAMs as deep package matching engines for NIDS: long patterns matching. A novel high speed long patterns matching architecture using cascade TCAMs for large signature set based NIDS is presented in this paper. Simple and efficient systems to handle tens of thousands of signatures with thousands of bytes length each can be built on such architecture. The matching system using for current SNORT signature set can work at the speeds greater than 2 Gbps.