Publication Details
Accelerating IDS Using TLS Pre-Filter in FPGA
Šišmiš Lukáš, Ing. (CESNET)
Matoušek Jiří, Ing., Ph.D. (CESNET)
Kořenek Jan, doc. Ing., Ph.D. (DCSY FIT BUT)
TLS, acceleration, FPGA, IDS, 100G Ethernet, 400G Ethernet
Intrusion Detection Systems (IDSes) are a widely used network security tool. However, achieving sufficient throughput is challenging as network link speeds increase to 100 or 400 Gbps. Despite the large number of papers focusing on the hardware acceleration of IDSes, the approaches are mostly limited to the acceleration of pattern matching or do not support all types of IDS rules. Therefore, we propose hardware acceleration that significantly increases the throughput of IDSes without limiting the functionality or the types of rules supported. As the IDSes cannot match signatures in encrypted network traffic, we propose a hardware TLS pre-filter that removes encrypted TLS traffic from IDS processing and doubles the average processing speed. Implemented on an acceleration card with an Intel Agilex FPGA, the pre-filter supports 100 and 400 Gbps throughput. The hardware design is optimized to achieve a high frequency and to utilize only a few hardware resources.
@INPROCEEDINGS{FITPUB12982,
author = "Vlastimil Ko\v{s}a\v{r} and Luk\'{a}\v{s} \v{S}i\v{s}mi\v{s} and Ji\v{r}\'{i} Matou\v{s}ek and Jan Ko\v{r}enek",
title = "Accelerating IDS Using TLS Pre-Filter in FPGA",
pages = "436--442",
booktitle = "Proceedings - IEEE Symposium on Computers and Communications",
year = 2023,
location = "Tunis, TN",
publisher = "IEEE Computer Society",
ISBN = "979-8-3503-0048-2",
doi = "10.1109/ISCC58397.2023.10218049",
language = "english",
url = "https://www.fit.vut.cz/research/publication/12982"
}