Today’s network intrusion prevention systems (IPSs) must perform increasingly sophisticated analysis—parsing protocols and interpreting application dialogs rather than simply searching for signature strings—for which the necessary algorithms defy full implementation in hardware, being much more readily implemented using general-purpose CPUs. Yet the performance of such CPUs increasingly lags behind that necessary to process today’s high-rate traffic streams. We observe that in many environments much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as “likely uninteresting.” Thus, we would like a means by which we can couple a general-purpose CPU with a specialized hardware element such that only the hardware element processes the bulk of the bytes in a network stream, while the CPU can still inspect those elements of network flows deemed germane for security analysis. To this end, we have developed an in-line, FPGA-based IPS...
Nicholas Weaver, Vern Paxson, José M. Gonz&