Hybrid memory-efficient multimatch packet classification for NIDS

Network applications such as network intrusion detection systems (NIDSs) require multimatch packet classification, where all matched results need to be reported. Most researchers have adopted a TCAM-based architecture to enhance system performance, but TCAM consumes high amounts of power and requires a lot of memory resources. In this paper, we analyze the characteristics of the Snort rule set, and propose an memory-efficient multimatch packet classification architecture for NIDS using the result of analysis. The proposed hybrid architecture uses hash-based matching for searching single port numbers and k-ary tree matching for searching range port numbers and is synthesized on Altera Stratix IV FPGA. Compared with previous TCAM-based architectures, our design achieves over four times improvement in memory requirement and power consumption. Our architecture sustains 16.8–67.4 Gbps throughput for minimum size (40 bytes) packets.