High-throughput and Memory-efficient Tcp Reassembly for Network Intrusion Detection System

Most of network data are transmitted using TCP protocol, which need to be reassembled before being processed by applications. However, applications proved that TCP reassembly is memoryhungry and it is usually the bottle neck of a system. In this paper, we propose a method for TCP reassembly, called multi-linked-list method, which can offer high throughput and high memory efficiency. The targeted applications of our system are Network Intrusion Detection Systems (NIDS)s which usually use signature-based matching techniques to protect networks from illegal intrusions. Our proposed method combines reassembly technique with edge buffering to help NIDS detect cross packet intrusion patterns. Our system not only supports TCP connections with up to 4 concurrent holes, but also uses memory more efficiently than others. The experimental results show that our system can operate on 10Gbps network link and hold up to 256K connections simultaneously including up to 46K out-of-sequence connections with only 64MB DRAM. Our system can also support connection timestamp and buffer threshold to prevent some kinds of attacks to our system itself.