TCP/IP Reassembly in Network Intrusion Detection and Prevention Systems

Abstract

Deep Packet Inspection (DPI) in Network Intrusion Detection and Prevention Systems (NIDPS) typically involves the matching of packet payloads against attack signatures in the form of fixed strings and regular expressions. As an attack pattern may span multiple IP fragments or TCP segments, accurate DPI requires that the traffic is reassembled prior to analysis of the payload data stream. Although hardware acceleration of the TCP layer, including reassembly, is well known in the form of TCP Offload Engines for Network Interface Cards, only limited research has been conducted into reassembly architectures suited to the particular requirements of DPI systems. The challenging requirements include the tracking and fragment/segment reordering of a potentially very large number of streams in addition to dealing with subtle ambiguities in IP fragmentation and TCP segmentation using target based reassembly or traffic normalization. In this article, the authors present a combined hardware and software architecture which harnesses the resources of the latest FPGA technology to improve on existing research proposals.