1. Technical Field
The present invention relates generally to a network intrusion detection apparatus and method using a Perl Compatible Regular Expressions (PCRE)-based pattern matching technique and, more particularly, to a network intrusion detection apparatus and method that perform PCRE-based pattern matching on the payloads of packets using a network processor equipped with a Deterministic Finite Automata (DFA) engine.
2. Description of the Related Art
Harmful traffic denotes attack traffic which causes a system to malfunction when a recipient receives the traffic, traffic which carries attack information or is unnecessary for a normal network flow, or traffic which is necessary for a data flow or belongs to a normal packet, but performs the action of interfering with the flow of normal network communication of a recipient due to the generation of an excessively large number of normal packets or the action of interrupting a network connection. When harmful traffic enters the computer of a user over a network, a problem such as the deterioration of computer performance arises. Therefore, ways to block such harmful traffic have continually been researched.
In order to detect and prevent malicious attacks on a network and prevent such a malicious attack, paper by Giorgos Vasiliadis et al., entitled ‘Regular Expression Matching on Graphics Hardware for Intrusion Detection’ (RAID 2009 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, Pages 265-283) proposes technology that uses a Peripheral Component Interconnect (PCI)-based exclusive Perl Compatible Regular Expressions (PCRE) acceleration engine so as to perform fast PCRE-based pattern matching on large-capacity Internet Protocol (IP) traffic.
However, when the PCI-based exclusive PCRE acceleration engine is used to perform PCRE pattern matching, a problem arises in that performance is decreased due to PCI communication for transmitting packets and the results of matching between a general-purpose Central Processing Unit (CPU) which receives and analyzes packets, and the PCRE acceleration engine.
Meanwhile, even when character string (content) matching is performed using a network processor equipped with a separate Deterministic Finite Automata (DFA) engine, the DFA engine performs simple character string matching, and a network processor core performs the reception and analysis of packets and matching of PCRE patterns. Accordingly, a problem arises in that there is a limitation in processing large-capacity IP traffic in a high-speed network without causing loss. In particular, PCRE pattern matching using a PCRE library on the network processor core is the principal cause for the reduction of the performance of the network processor.