Abstract: Stateful Packet Inspection (SPI) is the most important area of Network Intrusion Detection Systems (NIDS (However it must be operated in multi-Gigabit speeds, to trace and reassemble every connection, and examine every packet flow. I proposed Stateful Packet Inspection for Multi Gigabits Networks (SPIMN). It is customized hardware to achieve a more efficient and faster online inspection system. A generic architecture of SPIMN is based on using FPGA and Header Inspection. Therefore, Xilinx ISE 14.1 used in the design and in the simulation to test the design before the implementation on FPGA Virtex-7 by creating a Test-bench circuit. Finally, the testing and evaluation of SPIMN indicate that this model can work with more than 2,000 Snort rules on 100 Gigabit Ethernet networks.
INTRODUCTION
Recent years have witnessed rapid growth in both internet penetration and bandwidth due to huge improvements in telecommunication infrastructure, the proliferation of competitively priced computers and internet-capable mobile devices, and the reduced cost of internet access, resulting from increased competition [1] . The AV-TEST Institute registers over 390,000 new malicious programs evsery day [2] . One of the most-used solutions for protecting networks is the use of Network Intrusion-Detection Systems (NIDS) such as Snort [3] . NIDS depends on the network packet inspection (NPI). There are many categories for the NPI, depending on how many network layers are reference inspected. Although there is no definite category, Parsons divided it into three levels [4] . This study adopted the categorization by Parsons. The three levels of packet inspection are divided into shallow packet inspection (or Stateful packet inspection, SPI), medium packet inspection (MPI) and deep packet inspection (DPI). Figure 1 shows the levels of SPI, MPI and DPI in the OSI architecture described above. The inspection (flow monitoring) can also be categorized according to the numbers of fields (context information) into different types [5] . The description of these fields and the header categorize are shown in Table  1 .
This work aims to design and implement Stateful Packet Inspection for Multi Gigabits Networks (SPIMN) based on FPGA to: -1-header Inspection, 2-Intrusion Protection, and 3-100 Gigabit network. The operational goals of SPIMN are: -1-dropping the invalid packet, 2-Applying two techniques in the detection: header analyzing, and matching, 3-filtering and preventing the infected packet, 4-generating reports, 5-Parallel processing to increase the speed, and 6-No modification to hardware, operating system, or run time environment. In addition, the proposed architecture is based on the following assumptions: -1-using a fixed parser, and 2-http://journals.uob.edu.bh working with IP4, and 3-Snort rules generating: It is difficult and time consuming to write these rules, so in we satisfy by a limited number of these rules. But in the future we will add a module to generate these rules automatically. This paper is organized as follows: Section 2 emphasizes the related work. SPIMN architecture is explained in Section 3. Section 4 describes its realization (Design and Implementation). Section 5 presents verification and validation of SPIMN. Finally, the paper concludes in Section 6 with opening the scope for further research.
RELATED WORK
Most of the published researches on packet classification have focused on IP address lookup for routing and matching rule sets, with initial packet parsing [8] . For instance, Prasanna et al., [9] have demonstrated IP address lookup at up to 100Gbps rates by using FPGA implementation. Packet matching researches are typically based on the Snort rule-based intrusion detection technology [10] . Attig et al., demonstrated a 100Gbps line rate by coupling the parsing module with a key lookup module, in order to perform complete packet classification [8] . This packet classification subsystem was in turn coupled with a traffic management subsystem to demonstrate 400Gbps network processor by using a dual Xilinx Virtex-7 implementation. Kangaroo is a programmable parser that parses multiple headers per cycle. Kangaroo buffers all header data before parsing, which introduces latencies that are too large for switches today [11] . Weirong et al., presented a novel decisiontree-based linear multi-pipeline architecture of FPGAs for wire-speed and multi-field packet classification [9] . Extensive simulation and FPGA implementation results demonstrated the effectiveness of the solution. The FPGA design supported 10K rules or 1K Open Flow-like complex rules and sustained over 40 Gbps throughput for minimum size (40 bytes) packets.
Stateful Packet Inspection (SPI) was originally developed for Firewall. However, recently, there have been various applications such as Virtual Private Network (VPN), NIDS, Traffic Monitoring and so on. Published works on the packet classification can be divided into two categories: software solutions based on novel classification algorithms running by normal CPU or network processor and hardware solutions based on Ternary CAM, ASIC or FPGA. In general, a softwarebased solution is flexible but normally CPU timeconsuming, which is intolerant when a network traffic load is heavy. For the high-speed realization of packet classification (above 10Gbps line rate), hardware solutions are currently the best [12] . Abhishek et al designed an FPGA-based architecture for anomaly detection in network transmissions [13] . They first developed a feature extraction module (FEM) to summarize the network information to be used at a later stage, and its throughput could reach to 40Gbps. Ashok proposed architecture of a Distributed Intrusion-Detection System (DIDS), which could be implemented in more than one FPGA and MGTs (Multi-Gigabit Transceivers support serial communication speeds up to 10Gpbs per channel) [6] Figure 2 , consists of six main components that work together. 
SPIMN ARCHITECTURE

A. Input Output Interface Unit (IOIU)
The function of IOIU is to establish the connection between SPIMN and the physical network. It provides low-level services for interactions with physical network standards. Such architecture consists of two modules as shown in Figure 3: 
1) Input Interface Module (IIM)
The functions of IIM are: -Receive the traffic from the network, Convert the traffic into packets, Queue the packets, and send the packets to the Packet Processing Unit (PPU).
2) Output Interface Module (OIM)
OIM performs the following functions Receive the packets from Packet Reassembly Unit (PRU) and Report Generator Unit (RGU), Queue the packets, Convert the packets into traffic, and send the traffic to the network. I/P and O/P MGT (Multi Gigabit Transceiver): provide low-level services for interactions with physical network standards such as Gigabit Ethernet. I/P and O/P 100 Gigabit Ethernet. Convert the Ethernet frames into packets and check the validation of the frames. Packet FIFO (first input first output) buffers: store and pass the packet.
B. Packet Processing Unit (PPU)
The functions of PPU are to extract the packet into header and payload. After that, it sends the payload to the Intrusion Protection Unit (IPU) and decodes the header to generate a header fields table classified by the protocol (Context information table). 
1) Packet Extractor Module (PEM)
The main functions of the packet extractor are the following: -Extract the packets that received from IIM into header and payload, Send the header to the Header Parser, and send the payload to the Intrusion Protection unit (IPU).
It consists of a set of buffers, comparators, decoders, and state machines that sequencing identifies as the Ethernet frame elements within a packet. It is specified as a text file containing a name and size of all elements.
2) Header Parser Module (HPM)
The functions of the header parser are: -check and identify the protocol, Extract fields for processing by subsequent stages of the system, classify the header fields by the protocol (Context Information table), and send this table for Header Inspection Unit (HIU), Packet Reassembly Unit (PRU) and Report Generator Unit (RGU).
There are two types of a header parser: -1) Fixed header parser (Our Work), and 2) Programmable (Dynamic) header parser (The future work).
Mainly it consists of 2-parts as shown in the following Figure 5 . 
C. Header Inspection Unit (HIU)
HIU is the main part of SPIMN. It inspects the packet by two techniques: -1) checking the anomaly values (Anomaly Detection) via checking the header fields values, and 2) detecting the intrusion through matching the context information table with the header Snort rules. After the detection it sends the result to the Packet Reassembly Unit (PRU), Intrusion Protection Unit (IPU), and Report Generator Units (RGU) to complete the operations. It can be used as a filtering unit to speed up the detection and if any anomaly occurs, this packet is not sent to the matching circuit (i.e. filtering the packet) to speed the inspection process.
So it consists of two modules as illustrated in Figure 6 . Table 1 . The relationship between the testers and the flow tables is one-to-one to speed up the inspection. 
2) Header Matching Module (HMM)
The Header Matching Module is a rule-matching module to find out if the header information matches with any of the given header snort rules. These rules may contain checking of the flow definition.
It consists of a set of comparators arrays, and a header snort rule detector. Figure 8 shows the block-diagram of the HMM. 
D. Intrusion Protection Unit (IPU)
The functions of IPU are: check the detected and matched signals, and replace the anomaly or infected packet by the idle pattern to filter and prevents the intrusion.
It consists of: -checking, replacement, and sending modules. Figure 9 shows the block diagram of the IPU. 
E. Packet Reassembly Unit (PRU)
PRU is one of the main tasks that the monitored TCP flow should accomplish. By parallelizing the tasks of reassembling TCP packets on the server and the client side of the FPGA, the performance of the stateful TCP inspection can be greatly improved. It gathers the header and the payload (or idle packet in the case of infected) to pass it to the server or the client.
It consists of three modules: -Dispatcher, Streaming, and Tracking as shown in Figure 10 . The functions of Dispatcher are: -Receive the packet, or the idle packet from the IPU, Receive header fields from the extractor module, receive the C/S Direction signal from header analyzer, check the C/S signal to define the output direction (to the client or to the server), Tables  Generator   Flow Tables  Testers   Context  Information Table   Valid Detected Signal
Set of Comparator Arrays
Header Snort Rules 
F. Report Generator Unit (RGU)
Report generator unit (RGU) counts and tabulates the frequency for each rule and accumulates the numbers of matched and unmatched packets. These results are reported to the host PC about the detection and protection processes.
RGU consists of a set of data gathering buffers, searching module and a set of tables generators as shown in Figure 11 . In practice, SPIMN is quite challenging: -1-Throughput: must run at line-rate (100Gbps). (2) Parallelism: especially in header inspection and packet reassembly units.
DESIGN AND IMPLEMENTATION
In this section, I presented the SPIMN procedure, SPIMN design and implementation.
A. SPIMN Procedure
In the following, the SPIMN sequence of operation is pointed out.
The SPIMN operational steps are shown in Figure 12 . 
B. SPIMN Design and Implementation
I used Xilinx ISE 14.1 in both the design and implementation of SPIMN to satisfy the requirements and the architecture those given in section (3). The design and implementation steps are shown in Figure 13 .
In the load onto FPGA step, I select Xilinx Virtex-7 690T FPGA device. Because Virtex-7 FPGA series has integrated features that include FIFO and ECC logic, DSP blocks, PCI-Express controllers, Ethernet MAC blocks, and high-speed transceivers (setting in SW). The Modules are designed and developed in VHDL by using Xilinx ISE 14.1. 
Packet Processing Unit
PPU extracts the packets into header and payload and after that useful header information from MAC Layer, network layers (IPv4, ICMP), and transport layers (TCP, UDP). Any other layer is not being decoded.
a. Packet Extractor Module (PEM)
The extractor divides the packets into header fields and data after that it sends the header fields to the parser and the data to the Intrusion Protection Unit (IPU) as shown in Figure 15 . It strips some frame elements as preamble, start of frame delimiter (SFD), Pad and FCS. If SFD did not receive, it generates a reset to the frame if not, it generates a valid signal to enable the parser module. 
b. Header Parser Module (HPM)
Header parser module receives EoE (End of Extortion), valid frame, and the buffered header fields from the extractor module to extract useful header information from MAC layer, network layers (IPv4, ICMP) and transport layers (TCP, UDP).
So it consists of a set of decoders for IP, TCP, UDP, and ICMP. All of the generated header fields are stored in registers (Context Information Table) . A registered header data output (width 120 bits) is created. The operations states are illustrated in Figure 16 . Figure 17 shows the Gate-Level of Header Parser The input is the context information table (described in the Table 1 ) and the outputs are the inspection signals (set of status and control signals as shown in a Table 2 ) and detected signal. Figure 18 shows the Gate-level of HAM. Figure 20 shows the processes states in the IPU. The intrusion-protection unit is used to prevent the matched attacks and intrusions. The inputs are the payload, idle packet, and detecting, matching signal and terminating. The output is the packet or the idle pattern as shown in Figure 21 . 
Intrusion Protection Unit Gate-Level
Packet Reassembly Unit Gate Level
The packet reassembly unit is the opposite of the packet extraction. It generates a packet, and also routes it to the server or to the client side. 
Report Generator Unit (RGU) Gate-Level
Report Generator Unit generates a status table that contains the number of invalid, anomalous, infected packets, and the type of infection. Also the report shows the intrusion protection status. Figure 23 shows the operation states of the RGU. The search module used to search in the index table by the Matched-ID to find out the snort type (Snort Identification, Alert). The inputs are Context Information 
SPIMN VERIFICATION AND VALIDATION
To test the design and implementation of section (VI), two steps are carried out: -one for simulating SPIMN, as such, using ModelSim ISE6.0, and the second is verifying it.
SPIMN Verification
SPIMN as an entire prototype, implemented experimentally by making use of the above components. Figure 24 shows the realization of the information flow. 3) The output section consists of one port connects to the monitored PC.
Validation
Finally, 1 test and evaluate the SPIMN model to make a comparative study between SPIMN and the other systems. The main result of this comparative study is, it can work with 100 Gigabit Ethernet network without any modification. Rule match module used a sub-set of 100 Snort rules in testing the design and implementation of SPIMN (because of the difficulty of generated the snort rules manually so it is planned to recover it in the future).
The steps of SPIMN test as the following :-1) Generate traffic that includes certain types of attacks and intrusions, 2) Send this traffic to PC1 which contains a standard Snort detection system and notice the report, 3) Send this traffic also to SPIMN and note the output report, which is will sent to the PC2, 4) Compare these reports to check the accuracy (Inspection) and 5) Resend the output traffic from SPIMN to PC to detect again to see that the detected intrusion are removed or not (to satisfy from the protection unit). It is shown in the figure 25. The performance of an SPI-based intrusion-detection system mainly depends on the performance of the processing context information table. SPIMN can also do stateful packet inspection in real time and perform two states of detections (header analyzer to detect anomaly values -header matching with the snort rules) to allow more efficient generation of detection. These are the main contributions in SPIMN improving. SPIMN implemented on Xilinx ISE 14.1 Virtex-7 XC7V2000T with '-2' speed grade FPGA device. This model can achieve the throughput over 100 Gbps with dual port memory while it can support more than 2,000 Snort rules. Processing the data flow on the Server side and the Client side in parallel and fully considering context information on the TCP connection are our main contributions to improving the processing of TCP connections in NIDS.
CONCLUSION
In the present paper, we described the architecture, design and hardware implementation of 100 gigabits Stateful inspection using FPGA. The proposed model (SPIMN) presents intrusion detection, protection, and report generation. SPIMN is experimentally tested via two steps. The first step is based on a Xilinx simulation environment for ensuring the correctness of the system architecture before the implementation and by creating a test bench circuit. It is also used for measuring the average response time of SPIMN at 100Gbps, where the system performance is reported and evaluated. The second step is an experimental verification for SPIMN through a network. In the third step, we test and evaluate SPIMN to perform a comparative study between the proposed system and the others. In particular, we demonstrated performance improved by optimized, efficient memory access in FPGA logic unit and parallel processing in both the parts of header inspection unit and also in the unit of packet reassembly. And also the processes in both PRU and HIU are working in parallel. The use of FPGA made it easy to modify and develop the system.
It is planned to extend SPIMN in three directions. The first direction takes place by replacing the header parser with a programmable parser to work with any protocol and to generate the rules of matching automatically (Dynamic SPIMN) and the second direction by improving the Stateful packet inspection to inspect the payload and header together (Deep Packet Inspection DPI). The third direction is to create a circuit to handle regular expressions and by developing a sequencer to handle nonpattern-matching rules.
