Publication Details
Accelerating IDS Using TLS Pre-Filter in FPGA
Šišmiš Lukáš, Ing. (DCSY)
Matoušek Jiří, Ing., Ph.D. (DCSY)
Kořenek Jan, doc. Ing., Ph.D. (DCSY)
TLS, acceleration, FPGA, IDS, 100G Ethernet, 400G Ethernet
Intrusion Detection Systems (IDSes) are a widely used network security tool.
However, achieving sufficient throughput is challenging as network link speeds
increase to 100 or 400 Gbps. Despite the large number of papers focusing on the
hardware acceleration of IDSes, the approaches are mostly limited to the
acceleration of pattern matching or do not support all types of IDS rules.
Therefore, we propose hardware acceleration that significantly increases the
throughput of IDSes without limiting the functionality or the types of rules
supported. As the IDSes cannot match signatures in encrypted network traffic, we
propose a hardware TLS pre-filter that removes encrypted TLS traffic from IDS
processing and doubles the average processing speed. Implemented on an
acceleration card with an Intel Agilex FPGA, the pre-filter supports 100 and 400
Gbps throughput. The hardware design is optimized to achieve a high frequency and
to utilize only a few hardware resources.
@inproceedings{BUT185159,
author="Vlastimil {Košař} and Lukáš {Šišmiš} and Jiří {Matoušek} and Jan {Kořenek}",
title="Accelerating IDS Using TLS Pre-Filter in FPGA",
booktitle="Proceedings - IEEE Symposium on Computers and Communications",
year="2023",
pages="436--442",
publisher="IEEE Computer Society",
address="Tunis",
doi="10.1109/ISCC58397.2023.10218049",
isbn="979-8-3503-0048-2",
url="https://ieeexplore.ieee.org/document/10218049"
}