Network Intrusion Detection System (NIDS) provides better protection to our system and to the entire network from the malicious attacks spreading over internet. The hardware based NIDS are becoming more prominent since the software based NIDS are not able to support the high performance demands. FPGA based implementation provides re-configurability, scalability, parallelism and pipelining capability. So, it is the exact solution for the adaptable environment. In this work, we have designed an overall architecture of the proposed NIDS and implemented a low power consuming signature matching architecture. The performance of the signature matching architecture is higher than the software architectures. Also, the power consumption and complexity are lower than the existing hardware based signature matching techniques. Moreover, the modules are executed in parallel and thus provide considerable speed in execution.
INTRODUCTION
Intrusion Detection includes signature matching and anomaly detection. The signature matching is also known as misuse detection. It is used for finding the known viruses and it is free from false alarms. But, the signature matching can"t identify the unknown or new malwares. On the other hand, anomaly detection is capable of identifying unknown or new viruses, but it is prone to false positives. Hence, a combination of signature matching and anomaly detection will serve the purpose of Network Intrusion Detection System (NIDS). The speed of internet is increasing and the software based NIDS (Radhakrishna et al., 2016; Solane et al., 2015) are not able to meet the complex computing involved in NIDS. Hence a lot of research is going on in hardware based NIDS. Moreover, the implementation of signature matching and anomaly detection needs to be done with inherent parallelism in order to cope up with the growing network speed. Hence, reconfigurable architectures are found to be adequate for implementing the hardware based NIDS. FPGA hardware used for the implementation of the proposed architecture is reconfigurable, adaptable and also capable of implementing parallelism and pipelined architectures. Among the known signature matching techniques, the memory architecture based signature matching is found to give better performance. The basic memory architecture for signature matching isas shown in Figure 1 . In memory architecture, the known signature patterns are compiled as finite automata and stored in the memory in the form of state transition table. Every symbol or character of the virus signature is matched against the character stored in the memory. The well-known algorithm for signature matching is the Aho Corasik algorithm (Aho and Corsick, 1975) (Cheng-Hang Lin et al., 2009 ) which merges the common sub strings of the virus string pattern and further reduced the memory bottleneck. In the proposed signature matching technique, the known signature patterns are compiled using the merge FSM algorithm to optimize the memory usage. Weina He (2016) proposed Composite prediction method of network security situation based on CEEMD and time series estimation. Another important component of the memory architecture is searching. Whenever the input packet arrives from the network, the payload of the packet is compared with the known virus patterns stored in the form of the transition table of Finite Automata. The comparison can be done in two ways 1) Content Addressable Memory (CAM) based searching 2) Hash based searching. The detailed architecture of the CAM based searching was reviewed by Kostas et al. (Kostas et al., 2006) . The CAM does parallel comparison in one clock cycle and so it needs complex circuitry, power and silicon area (Beamer and Akgul., 2009; Anh-Tuan et al., 2013; Nilson et al., 2004) . The different types of CAM are binary CAM and ternary CAM. The binary CAM searches for exact matches and the Ternary CAM (TCAM) considers don"t cares also. So, TCAM are used in wild card searching. The CAM sensing scheme proposed by Beamer and Akgul (Beamer and Akgul, 2009 ) saves the power to some extent. The CAM consumes more power due to parallel match line comparison. Alternatively, a parity bit technique was used by Pedro et al., (Pedro et al., 2013) , which reduces 39% sensing delay at the cost of 1% power and area. Also, the memory density of the CAM is low and power consumption is more when compared to DRAMs and SRAMs. Implementing column address in CAM is a tedious task. Another searching technique is the hash based searching and the hashing technique is prone to collisions. In order to avoid collisions, Lin and Cheng (Lin and Cheng, 2013) proposed a perfect hashing technique which increased the computational complexity. The Wu-Manber algorithm for signature matching (Zhang et al., 2009; Xiao-Shal et al., 2006; Hong, 2006) needs hash table in the filter mechanism when the shift value is zero. The Bloom Filter algorithm proposed by Soliman and El-Helw (Soliman and Elhelw, 2005) requires "k" different hash functions to check all locations. The trie table generation and one step hash for virus detection processor proposed by Cheng et al. requires hash value to be generated for each light weight trie tree. The proposed signature matching algorithm doesn"t use CAM or hash functions for searching the memory. Instead, it uses an optimized Binary Search algorithm based on the lookup table obtained from the outgoing edges of the Finite Automata in which the known virus signatures are compiled and stored. 
EXPERIMENTAL PROCEDURE
The proposed FPGA based NIDS as shown in Figure 2 includes both signature matching and anomaly detection. The network packets are collected from the wired LAN and fed into the packet splitter which divides the packet into header and payload. The header part of the packet is given to the anomaly detection module and the payload part of the packet is given to the signature matching module. In parallel, the network statistics from the wired LAN is obtained using any one of the tool such as Wireshark. The network statistics thus obtained and the header features extracted using state machine based feature extractor are given to the rule based classifier. The rule based classifier is capable of identifying the anomalous packet. In this paper, we focus on the power efficient signature matching.
Proposed System for Signature Matching
The proposed signature matching technique is defined as follows: 1)Compiling the known signatures into finite automata and store the automata in the form of cursor implementation of linked list. The cursor implementation of linked list is used since Verilog doesn"t support pointers. 2) Construction of lookup table 3) Signature matching using lookup table and binary search. Initially, the known signature patterns are taken from the well-known signature databases and compiled into a finite automata and memory optimization is done using merge FSM algorithm. For example, Figure 2 shows a merge FSM in which the signatures "ab", "ac" and "de" are compiled. Further, the obtained merge FSM is stored as cursor implementation of linked list and here, the ending states represented with double circles can be omitted for further optimization of memory. The memory representing the cursor implementation of the example FSM given in Figure 2 is as shown in table 1.
S2 S3

S5
Figure 3 Signatures compiled into Finite Automata.
Table 1 Cursor implementation of the finite Automata
Further, the number of outgoing edges of every node of the FSM is calculated using the memory obtained by Cursor implementation. Then, starting from the initial address, we traverse the list using the next address. For every next address found, we have to increment the counter. We have to continue the traversing till the next address is equal to Null and store the counter value in the lookup table. We have to repeat the above steps for all the nodes in the FSM except the ending nodes or ending states.
Further, the lookup table as shown in table 2 is constructed using the number of outgoing edges calculated for every node of the FSM. In the lookup table, the starting address of the first node is kept as zero by default. Remaining starting addresses are obtained by incrementing the ending address of the previous row. The ending address is obtained by decrementing from the sum of starting address and the number of outgoing edges of the particular row. Here the starting address and end address indicate the exact range of locations of the memory where the particular character may be found. Table 2 Lookup Table 0  1  1  2  2  3  2  Null  Null  Null  3  Null  Null  Null  4  4  4  5 Null Null Null
Address Character
The entire process of signature matching is as shown in Figure 4 . The virus signature coming from the internet is fed in to the input buffer and each symbol or character is given to the binary search module (Jasmine and Latha, 2016) . Initially, the current state is set to zero, which symbolizes the starting state of the FSM in which the known virus patterns are compiled. The value of the current state is taken as the address for the lookup table. The starting address and end address corresponding to the lookup table address is taken from the look up table and given to the binary search module. The binary search module compares the input character against the characters present within the stipulated boundary of locations in the memory given by the starting address and end address. The binary search is done using divide and conquer strategy. Further, the current state value is updated. If the input character matches with the character stored in the memory, the corresponding next state stored in the next state memory becomes the current state for the next comparison. This process is continued until the number of outgoing edges value of the lookup table becomes zero. If the number of outgoing edges value is zero, virus signature is matched and it is the indication of malicious code in the particular packet and that packet will be discarded. 
Results and Discussion
The proposed searching method is implemented in Spartan3, XC3S50. The total thermal power consumption for the searching using optimized binary search is 23.50mW, which is very less than the conventional methods including CAM and hashing based searching. The power consumption for the entire signature matching process done online is 43.23mW which is very lower than the existing signature matching methods. The hardware utilization of the proposed signature matching technique is shown in table 3. The Figure 5 shows the RTL schematic and the Figure 6 shows the technology schematic of the proposed power efficient signature matching architecture. 
CONCLUSION
This paper presented an overall FPGA based implementation of NIDS and more particularly focussed on Signature matching. The signature matching technique implemented in this system consumed less power as compared to the other techniques used for signature matching. The reduced power consumption for signature matching is achieved by using the binary search based on the lookup table formed using the number of outgoing edges of the finite automata in which the known signatures are compiled.
