Skip to Main Content
HashMem is a memory based, exact pattern matching architecture for Snort-like intrusion detection. It uses CRC- style functions to determine a unique location for a possible match and then matches the input against the pattern stored in the specified memory location. This approach achieves is a very low logic and a reasonable memory cost. In this paper we extend the HashMem architecture to allow storing of variable-length patterns in a single memory structure, reducing the number of required memory structures and comparators. In this way, we improve the density of the memories and reduce the necessary logic for CRC functions and comparators. These improvements allow V-HashMem to accommodate the newest Snort rule-set with modest memory and very low logic cost of about 0.06 logic cells per search pattern character. This logic cost is almost an order of magnitude smaller compared to other research. Variable length HashMem uses single-ported memories, thus allowing the simultaneous processing of two characters per cycle using the FPGA dual ported memories and additional logic. We also extend the V-HashMem architecture to include a header-ID field and support header matching information, a feature missing both from our own earlier work and many related systems.
Date of Conference: 28-30 Aug. 2006