Skip to Main Content
Network intrusion detection systems continuously monitor the network traffic in order to identify any traces of suspicious activities such as worm, viruses or spam. One attractive technique for identifying potential Internet threats is detecting previously unknown, but common sub-strings that appear very frequently in data packets. In this paper, we propose a novel architectural platform that thoroughly analyzes the network traffic behavior in terms of repetitions to identify potential Internet threats. The main idea is to use a two-phase hashing system and small memory units functioning in parallel to achieve a high-throughput and memory efficient behavioral analysis engine. The system performs behavioral analysis on selected information/user(s) and builds a bell-shaped curve for normal traffic using parallel counters. Our traffic behavioral analysis system has been fully prototyped on Altera Stratix FPGA. Experimental results verify that our system can support line speed of gigabit-rates with very negligible false positive and negative rates.