



# INTERNATIONAL JOURNAL FOR RESEARCH

IN APPLIED SCIENCE & ENGINEERING TECHNOLOGY

Volume: 4 Issue: VII Month of publication: July 2016

DOI:

www.ijraset.com

Call: © 08813907089 E-mail ID: ijraset@gmail.com

www.ijraset.com Volume 4 Issue VII, July 2016 IC Value: 13.98 ISSN: 2321-9653

## International Journal for Research in Applied Science & Engineering Technology (IJRASET)

## High Efficient Z-TCAM Implementation Using FPGA for NIDS

Bhavani<sup>1</sup>, Dr.Baswaraj Gadgay<sup>2</sup>, Suman B Pujari<sup>3</sup>

<sup>1</sup>PG student Dept. of VLSI Design & Embedded Systems VTU PG Centre Kalaburagi

<sup>2</sup>Research Guide & Professor VTU PG Centre Kalaburagi

<sup>3</sup>Assistant Professor Dept. of VLSI&ES VTU PG Centre Kalaburagi, Karnataka

Abstract - A content addressable memory (CAM) is a kind of storage device which is used to access its contents by using its content rather than its address. Since ternary content addressable memory has slow access time, consumes more power and more complex. SRAM has the advantage of high speed, so the TCAM is configured with SRAM to overcome this disadvantage. The emulation of TCAM functionality with the help of SRAM is named as Z-TCAM. The CAM finds its application in intrusion detection system, image processing, Hofmann coding and decoding. The pattern matching is one of the critical problems in many search based applications such as in network intrusion detection system. In intrusion detection system the Z-TCAM act is used as search engine. This is implemented on the FPGA and simulated using model Sim simulator.

Keywords: NIDS (Network Intrusion Detection System), Ternary content addressable memory (TCAM), Static random access memory (SRAM), memory architecture, Field Programmable Gate Array (FPGA).

#### I. INTRODUCTION

There is an increased use of internet over the past few years; there is great demand for the search engines in order to increase the speed of search operation. So with regard to this we are using special category of memory devices called as content addressable memory. The content address memories are also known as associative storage, associative memory or also known as associative array. In normal memory if the user wants to access the memory, then the user needs to provide the address. From the particular address location the user will be able to fetch the contents. But here in associative memory the user will provide the content; in return the user will get the address for that particular data element. These memories are used in search engines in many applications where the search operation is the more critical task.

The associative array much faster speed is achieved than the traditional memories in which uses sequential searching used. It is used to implement the lookup tables, and this is done in a single clock cycle with the help of comparison circuit. Here the data which we want to search is compared against the predefined data in the memory. If the data is found matched then it gives address of that memory location. It is used in the application such as in coding of the image, in network routers, in Huffman coding or decoding, and also in data compression.

The content memories are of two types they are binary and ternary. In binary it is able to store and search 0 and 1. Where as in ternary memory it is able store and search three bits they are 0, 1, and x which is also known as don't care or called as wild card in some applications. But it has the disadvantage of higher complexity, lower speed, consumes more power, and it has slow access time

So in order to overcome problem ternary content memory in our project we are using static random memory (SRAM). SRAM is having higher speed, and it has low cost compared with the traditional content memories. They are having higher storage density compared to the ternary memory. In this project ternary content addressed memory is configured with SRAM to speed search operation. The integration of TCAM with the SRAM is called as ZTCAM. The Z-TCAM is much denser and able to handle the wild cards or don't care states. It is much faster than the traditional TCAM's. It has enhanced memory utilization. The implementation of Z-TCAM is done using FPGA, as it is widely used in many applications.

The implementation of Z-TCAM is either favorable on FPGA or on the ASIC. The FPGA based Z-TCAM is having higher speed which can be used in networking to yield higher throughput.

The Network Intrusion Detection System (NIDS) is an increasing area of research for the security of the information. It helps in securing the precious data and information of an individual or an organization. The data and information of an organization can be secured by using software or by using hardware of NIDS. The software method provides less security in preserving the data, as it is more susceptible to the security attacks. The software methods are having lesser throughput compared to the hardware systems.

www.ijraset.com Volume 4 Issue VII, July 2016 IC Value: 13.98 ISSN: 2321-9653

## International Journal for Research in Applied Science & Engineering Technology (IJRASET)

#### II. RELATED WORK

In the prior work presented the content memories were configured with randomly accessed memory which is often known as content addressed random access memory (CA-RAM). They offer higher memory density compared to traditional memories. It is mainly used to implement hashing techniques for search based applications in hardware. There are many techniques such as ordered table, linear and also binary tree search techniques apart from this hashing technique is widely used because of its high performance. The CA-RAM used for hash technique has two main parts one is data and other is key. These two fields are contained in the data or the record which is to be searched. It provides simple hash function that finds the record which is stored in the particular memory location. The data stored in the memory has two-dimensional hash table, and each entries of the hash table are called as bucket with M entries. This bucket contains many records which are arranged in the form of arrays. When the two keys of the hash table are same it results in collision also called as conflict. When this conflicting increases for multiple records in the bucket. Then the data will be placed in some other locations of bucket which the data hash into this result into overflow of the area.

It has several disadvantages the first is here the performance is determined by the record which is actually distributed and how these data are accessed. If too many data are placed in the overflow area because of collision, then faster data search operation is not completed. Another limitation is that if bit position contains don't care bits which is used for hashing technique, then each keys which contains the don't care must be duplicated in several buckets. This further increases the additional memory requirement and also if don't care bits are used then hash function has to access multiple buckets.

The method proposed by M. Somasundaram cascades RAM and CAM to build up the CAM functionality. This approach uses some unique bits in CAM entry which makes the partitions of the conventional TCAM table. But this is an extremely tiresome and time consuming task because it has totally random data.

RAM-based CAMs described have an exponential raise in memory volume. As number of bits increases which makes their use prohibitive. For example, if we take a CAM word of 36 bits; its memory size would be 236 = 64 GB. In addition the method is applicable only for data which is arranged in increasing order, but in usual CAM applications data are totally arbitrary. Here the data are arranged in increasing order which will disturb the original data. So, there must be another technique to store the addresses, which is absent in this method. If original address is considered, then it increases the power and also memory. But in the proposed method Z-TCAM supports a randomly huge bit pattern; there is memory for the storage of original addresses, with the help of suitable partitioning.

#### III. PROPOSED WORK

In this section will see the design of each block. The proposed method describe about the configuration of SRAM with associative memory. This gives the best possible result compared to basic associative memory. Here in our project we are using SRAM with TCAM to enhance the performance of the conventional TCAM memory. It consists of hybrid partitioning of the memory which involves both horizontal partition as well as vertical partitions. After successful partitioning along row wise and columnwise the subtables of the ternary memory are processed in order to store in the corresponding memory locations. Columnwise partitioning will help in decreasing the memory sizes of the ternary memory. Fig 1 shows the block diagram of Z-TCAM consisting of SRAM, address generator and ternary memory.



Fig 1: Block Diagram of Enhanced Z-TCAM

www.ijraset.com Volume 4 Issue VII, July 2016 IC Value: 13.98 ISSN: 2321-9653

## International Journal for Research in Applied Science & Engineering Technology (IJRASET)

#### A. Architecture of Z-TCAM

The structural design of the enhanced TCAM involves the L number of layers, an encoder circuit. Fig 2 shows the design of the Z-TCAM which consists of validation memory, original tables storing the original data and also the original address tables which stores the corresponding original addresses with respect to the data, and priority encoder circuits to select the address among the multiple matches.



Fig 2: Block Diagram of TCAM Memory

The layer of ternary memory consists of the following blocks

- 1) Validation Memory: The data subword is stored in the validation memory these will be act as an address during search operation. The validation memory will authenticate the presence of the data if the data is presence of data. If the data is present then corresponding memory location is activated. If the data is found in multiple location then the AND operation is used which is of 1-bit, which take the AND operation of the output of validation memory. This indicates whether the search operation should be continued or it should be stopped. If the output of AND is '1' then search will continue otherwise it indicates that mismatch hence stops the search operation.
- 2) Original data memory: The data which is stored in the validation memory will also be stored in the original data memory. It will also contain the address which is indexed by the subword. In this stage the data from the SRAM will be stored.
- 3) Original Address Table (OAT): Once the data is predefined in the original data memory the corresponding address for it will be stored in the original address table. If the data is found in more than one location then AND operation is used which will perform the K-bit operations on the output of OAT. The output of this will be sent to the encoder circuit.
- 4) Priority Encoder for Layer: Since we are using ternary associative memory so there may be a multiple matches, then the priority encoder circuit will be employed to locate the highest priority address. This will give all the potential match addresses from all the memory locations. Finally the output from the layer of TCAM will sent to the encoder circuit which will select the highest priority address for the input data.

#### Operation of Z-TCAM

There are mainly two operations of Z-TCAM they are as follows: Data Mapping & Data Searching

- 1) Data Mapping: In the Z-TCAM it involves partitioning of conventional TCAM table. This partition involves the binary data. The input data will be mapped into the validation memory. The data is also copied into the original data memory and its corresponding its address will stored in the original address table. During search operation this address will help in find particular. If the data is located in the validation memory location the logic '1' is written for that memory.
- 2) Data Searching: The data searching involves the searching in the layer and searching in the Z-TCAM. Steps for searching the data in the Z-TCAM
- a) The data to be searched will be applied to the validation memory.
- b) The validation memory will check for the presence of the data if the data is present the search operation will continue otherwise it will stop indicating the mismatch.
- c) Once the data is found in the original data memory it will compare the data which is stored in the SRAM. If data is matched then output will logic '1'.
- d) The corresponding address for the input data will be read from the original addresses table.
- e) If multiple matches are found then potential matched address will be produced from the layer.

www.ijraset.com Volume 4 Issue VII, July 2016 IC Value: 13.98 ISSN: 2321-9653

## International Journal for Research in Applied Science & Engineering Technology (IJRASET)

f) By using CAM's priority encoder the address which is having the highest priority will given at the output.

Z-TCAM involves the parallel search operation hence the speed of the search operation will enhanced compared to the conventional ternary memory. These types of memories will be required in the network routers for fast string matching. The proposed Z-TCAM results in the lesser power consumption. The priority encoder reduces the clock latency.

#### IV. SIMULATION RESULTS

All the simulation are done using the Xilinx ISE 12.2 tool by writing VHDL code for each blocks and simulated with help of Model Sim tool.



Fig 3: RTL model of internal view of Z-TCAM



Fig 4: Simulation results of data mapping into the Z-TCAM

www.ijraset.com Volume 4 Issue VII, July 2016 IC Value: 13.98 ISSN: 2321-9653

## International Journal for Research in Applied Science & Engineering Technology (IJRASET)



Fig 5: Simulation results of data searching into the Z-TCAM

#### V. CONCLUSION

The proposed Z-TCAM is highly efficient and higher speed. The search operation is done in a single clock cycle. The simulation results show the better memory utilization and speed. Since it is used in detecting the predefined patterns in IDS, it will help in fast search operation. And the proposed Z-TCAM is implemented on the FPGA hence it is easily programmable in the field. The architecture of Z-TCAM is very simple and large storage density when compared to the traditional ternary associative memory. The proposed Z-TCAM is successfully implemented. All the blocks are designed such as address generator, SRAM and the design of TCAM, this is able to search three bit information such as '0', '1', and 'U' states. Functionality of all the blocks is checked by writing VHDL code in Xilinx. And they are simulated using Model Sim tool. Finally they are implemented on the FPGA device.

#### **REFERENCES**

- [1] Zahid U, Manish K. J, and Ray C. C. Cheung, "Z-TCAM a SRAM based Architecture for TCAM", 14915122, vol.23, pp.no 402-406, IEEE 2015.
- [2] Hideyuki N, Kazunari I, Masayuki K, Futoshi I, Kouji Y, "A cost-efficient high-performance dynamic TCAM with pipeline hierarchical search and shift redundancy architecture", 0018-9200 vol. 40, pp. no 245–253, IEEE 2005.
- [3] Pagiamtsis K and Sheikholeslami A, "Content Addressable Memory Circuits and Architecture Tutorial and Survey", 8808623, vol. 41, pp.no 712-727, IEEE 2006.
- [4] Kun Haung, Linxuan D, Gaogang X, Dafang Z, Alex X L, Kave S, "Scalable TCAM-based Regular Expressions Match with Compressed Finite Automata", 978-1-4799-1640-5, pp.no 83-93, IEEE 2013.
- [5] N Mohan, W Fung, D Wright, and M Sachdev, "Design technique and test methodology for low power TCAMs", 1063-8210, vol. 14, no. 6, pp. 573–586, IEEE 2006.
- [6] Jarolahi H, Gripon V, Onizawa N, and Gross W J, "Algorithms and Architectures for a Low Power Content Addressable Memory based on Sparse Clustered Network", 1501282, vol.23, pp.no 642-653, IEEE 2014.
- [7] Sherif Y and Wayne L, "Bitwise Optimized CAM for Network Intrusion Detection System", 0-7803-9362-7, pp.no 444-449, IEEE 2005.
- [8] Jasmine C and Dr. Latha T, "Lookup Table for Hardware Based Signature Matching using Finite Automates", 1991-8178, pp.no 155-161, AJBAS 2015.
- [9] Ming G, Kenong Z, Jiahua L, "Efficient Packet Match for Gigabit Network Intrusion Detection system using TCAM", 1550-445X, ICAIA 2006.
- [10] Weirong J, Viktor K. P, "Scalable Packet Classifications on FPGA", 1063-8210, vol. 29, pp.no 1668-1680, IEEE 2012.
- [11] E. Mary Selvam and K. Balamurugan, "Area Efficient Lookup Engine based on TCAM's for Fast Route Update in Routers", 2321-2632, pp.no 6-10 vol. 2, IJMCSA 2014.
- [12] Naoya O, Warren J. G and Takahiro H, "A Low Energy Variation Tolerance Asynchronous TCAM for Network Intrusion Detection System", 1522-8681, pp.no 8-15, IEEE 2013.

www.ijraset.com Volume 4 Issue VII, July 2016 IC Value: 13.98 ISSN: 2321-9653

International Journal for Research in Applied Science & Engineering Technology (IJRASET)









45.98



IMPACT FACTOR: 7.129



IMPACT FACTOR: 7.429



# INTERNATIONAL JOURNAL FOR RESEARCH

IN APPLIED SCIENCE & ENGINEERING TECHNOLOGY

Call: 08813907089 🕓 (24\*7 Support on Whatsapp)