High performance TCP reassembly for network intrusion detection system

Transmission Control Protocol (TCP) is now one of the most popular protocols in networking. However, it is practically proved that TCP reassembly is memory-hungry and it is usually the bottle neck of a system. In this paper, we propose a method for TCP reassembly, called multi-linked-list method, which can offer high performance. The targeted applications of our system are Network Intrusion Detection Systems (NIDS)s which usually use signature-based matching techniques to protect networks from illegal intrusions. Our proposed method combines reassembly technique with edge buffering to help NIDS detecting cross packet intrusion patterns. Our system supports TCP connections with up to 4 concurrent holes. It can hold up to 256K connections simultaneously including up to 46K out-of-sequence connections with only 64MB DRAM. This version of our system can operate on 10Gbps network link and support connection timestamp and buffer threshold to prevent some kinds of attacks to our system itself. � 2012 Praise Worthy Prize S.r.l. - All rights reserved.