Yi-fan HE,Guo-yin XU,Hai-bin SHEN

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.01.042

2007-01-01

Abstract:In order to improve the performance of pattern-matching module in NIDS, an efficient engine for multi-gigabit rate, line-speed pattern-matching is proposed after analyzing a large amount of related work. By grouping and evenly storing patterns into CAM or TCAM according to their lengths and amount, as well as using payload-switching technique, this engine not only reaches multi-gigabit rate performance, but also has high storage efficiency. System performance can be improved further by using multiple process modules in parallel. In a 200 MHz Clock implementation, system throughput can reach more than 6 Gbit/s.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

AI Xin,TIAN Zhihong,ZHANG Hongli

2013-01-01

Abstract:The rapid growth of network traffic has brought new challenges to the deep packet inspection(DPI) technology;as a basic module,string matching algorithm greatly affects the performance of DPI.This paper optimizes the widely used multi-pattern matching AC algorithm by importing a balanced binary tree structure;it helps the algorithm to eliminate the useless state node of AC automaton,so it can accommodate the environment of large-scale pattern matching.The test results show that memory consumption of the optimized AVLAC algorithm is about 5% compared with the traditional AC algorithm when the pattern set comes to the 100 000 level.

Alan Kennedy,Xiaojun Wang,Zhen Liu,Bin Liu

DOI: https://doi.org/10.1109/date.2010.5457172

2010-01-01

Abstract:Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA.

Xu Kefu,Qi Deyu,Qian Zhengping,Zheng Weiping

DOI: https://doi.org/10.1109/icnsc.2008.4525325

2008-01-01

Abstract:High-speed packet content inspection and filtering devices rely on a fast multi-pattern matching algorithm which is used to detect predefined keywords or signatures in the packets. These signature sets are large (e.g., thousands) and complex. Multi-pattern matching is known to require intensive memory accesses and is often a performance bottleneck. Another problem is how to update the inconstant rule set from new attacks without halting the inspection. Hence, specialized fast dynamic pattern matching algorithms scalable for long rules are required for on-line speed deep packet inspection. We proposed a fast dynamic deep packet inspection algorithm using two pipelines which was flexible loosely coupled framework. In the fast pipeline, multiple parallel Counting Bloom filter engines which can perform fast dynamic query were adopted to achieve high throughput. Based on the principle of locality of programs, we set a threshold length for the scalability for long rules. In the relatively slow pipeline, we adopted dynamic pattern matching algorithm to distinguish the suspicious packet came from the fast pipeline. The analysis and the evaluation show that the high throughput of the algorithm can satisfy the wire speed dynamic inspection requirement when the low resource consumption further improves the scalability.

JM Yu,J Li

2005-01-01

Abstract:At the heart of almost every modern Network Intrusion Detection System (NIDS), there is a pattern matching engine (PME). As pattern matching is the most time consuming operation in NIDS, it is highly desired to reduce the pattern matching time of each packet or flow. This paper proposed a parallel pattern matching algorithm based on Aho-Corasick (AC) algorithm and an efficient load balance policy for it. The method is implemented on Intel's IXP2850 Network Processor (NP). Experimental results show that when using eight processors, the pattern matching time of each packet or flow can decrease to 60.44%similar to 14.42%. Based on the parallel algorithm, a PME utilizing parallel processing on three levels is proposed. Experimental results on IXP2850 show that the throughput speedup of pattern matching is 13.34 similar to 55.48 times.

Hao Xu,Harry Chang,Kun Qiu,Yang Hong,Wenjun Zhu,Xiang Wang,Baoqian Li,Jin Zhao

DOI: https://doi.org/10.1109/tnsm.2024.3354985

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Deep Packet Inspection (DPI) has been one of the most significant network security techniques. It is widely used to identify and classify network traffic in various applications such as web application firewall and intrusion detection. Different from traditional packet filtering that only examines packet headers, DPI detects payloads as well by comparing them with an existing signature database. The literal matching engine, which plays a key role in DPI, is the primary determinant of the system performance. FDR, an engine that utilizes 3 SIMD operations to match 1 character with multiple literals, has been developed and is currently one of the fastest literal matching engines. However, FDR has significant performance drop-off when faced with small-scale literal rule sets, whose proportion is more than 90% in modern databases. In this paper, we designed Teddy, an engine that is highly optimized for small-scale literal rule sets. Compared with FDR, Teddy significantly improves the matching efficiency by a novel shift-or matching algorithm that can simultaneously match up to 64 characters with only 15 SIMD operations. We evaluate Teddy with real-world traffic and rule sets. Experimental results show that its performance is up to 43.07x that of Aho-corasick (AC) and 2.17x that of FDR. Teddy has been successfully integrated into Hyperscan, together with which it is widely deployed in modern popular DPI applications such as Snort and Suricata.

computer science, information systems

YU Jianming,XU Bo,XUE Yibo

DOI: https://doi.org/10.3321/j.issn:1000-0054.2008.04.036

2008-01-01

Abstract:String matching in deep network inspection can be very time consuming. The characteristics of networked processors (NP) and string matching algorithms were examined from the system level optimization point of view to develop a deterministic finite automaton algorithm and a statistic caching strategy for the state transfer table based on a combined hardware/software design. The NP-based Aho-Corasick (NP-AC) algorithm reduces the total memory consumption and the number of memory accesses and increases the utilization rate and throughput of processing unit in network processors. Implementation on an Intel network processor demonstrates that algorithm can achieve 6.4 Gbps throughput on a single IXP2800.

Junchen Jiang,Xiaofei Wang,Keqiang He,Bin Liu

DOI: https://doi.org/10.1109/icc.2010.5501748

2010-01-01

Abstract:Multi-pattern matching is a key technique for implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against predefined attack signatures written in regular expressions (regexes). To this end, Deterministic Finite Automaton (DFA) is widely used for multi-regex matching, but existing DFAbased researches have claimed high throughput at an expenses of extremely high memory cost. In this paper, we propose a parallel architecture of DFA called Parallel DFA (PDFA), using multiple flow aggregations to increase the throughput with nearly no extra memory cost. The basic idea is to selectively store the DFA in multiple memory modules which can be accessed in parallel and to explore the potential parallelism. The memory cost of our system in both the average cases and the worst cases is analyzed, optimized and evaluated by numerical results. The evaluation shows that we obtain an average speedup of about 0.5k to 0.7k where k is the number of parallel memory modules under our synthetic trace and compressed real trace in a statistical average case, compared with the traditional DFA-based matching approaches.

WU Yong-chao,HUA Bei

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.08.056

2009-01-01

Abstract:【Abstract】Deep packet inspection is the bottleneck of a ,network intrusion detection system. This paper analyzes the characteristic of a ,real intrusion pattern string set, discusses the improvement of a multi-pattern matching algorithm FNP and its implementing optimization on a multi-core and multithreaded platform-Intel IXP2800 Network Processor Unit(NPU). Simulations on Intel IXP2800 NPU show ,that the improved ,FNP can achieve 6 Gb/s throughput on a 10 K-size randomly generated pattern sets, and has almost linear speedup. 【Key words】multi-pattern matching; network processor; parallel algorithm 计 ,算 ,机 ,工 ,程 Computer Engineering 第 35卷 ,第 8期 Vol.35 ,No.8 2009年 4月 April 2009 ·安全技术·,,1000—3428(2009)08—0166—03 文献标识码：A 中图分类号：TP393.08 1 概述

Ren Yue,Chen Miao,Li Bo,Wang Xueyuan,Li Xingzhi,Liao Zijun

DOI: https://doi.org/10.1109/cac53003.2021.9727422

2021-10-22

Abstract:With the rapid development of the Internet, network traffic is becoming more complex and diverse. At the same time, malicious traffic is growing. This seriously threatens the security of networks and information. However, the current DPI (Deep Packet Inspect) engine based on x86 architecture is slow in monitoring speed, which cannot meet the needs. Generally, two factors affect the detection rate: CPU and memory; The efficiency of data packet acquisition, and multi regular expression matching. Under these circumstances, this paper presents an efficient implementation of the DPI engine based on a generic x86 platform. DPDK is used as the platform of network data packets acquisition and processing. Using the multi-queue of the NIC (network interface controller) and the customized symmetric RSS key, the network traffic is divided and reorganized in the form of conversation. The core of traffic identification is hyperscan, which uses a flow pattern to match the packets load of a single conversation efficiently. It greatly reduces memory requirements. The method makes full use of the system resources and takes into account the advantages of high efficiency of hardware implementation. And it has a remarkable improvement in the efficiency of recognition.

ZHENG Bo,LIN Chuang,QU Yang

DOI: https://doi.org/10.1360/jos171949

2006-01-01

Journal of Software

Abstract:Nowadays, many high speed Internet applications require high speed multidimensional packet classification algorithms. Based on the uniqueness of Network Processor, this paper presents a multidimensional classification algorithm—AM-Trie (asymmetrical multi-bit trie). AM-Trie is a high speed, parallel and scalable algorithm and very fit for the "multi-thread and multi-core" feature of the Network Processor. A heuristic field division algorithm is also presented, and it is proved theoretically that it can find out the minimum storage cost solution when the height of the AM-Tire is given. Finally, a prototype is implemented based on Intel IXP 2400 Network Processor. The performance testing result shows that AM-Trie is a high-speed and scalable algorithm; the throughput of the whole system is influenced little by the size of rules and it can reach 2.5 Gbps wire speed.

NI Jia,LIN Chuang,CHEN Zhen

DOI: https://doi.org/10.3969/j.issn.0258-7998.2007.08.056

2007-01-01

Abstract:The HBM algorithm is proposed as a new multi-pattern matching algorithm and an anti-worm engine with HBM algorithm is implemented and optimized on an Intel IXP 2400 network processor. It gives a stable performance and meets the needs of Gigabit Ethernet according to the experiment results.

SHAO Zong-you,LIU Xing-kui,LIU Xin-chun,SUN Ning-hui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.03.014

2013-01-01

Computer Science

Abstract:As the network bandwidth continuously increases,the network security has been seriously threatened by malicious behaviors and risks.Network intrusion detection system(NIDS) is one of the efficient measures to cope with intrusion threats and protect information security,which employs pattern matching techniques to analyze incoming packe-ts and detect potential threats.However,pattern matching is such a compute-intensive task that most current techniques can't meet the demand of NIDS for backbone networks over 10Gbps speed.We proposed a novel Bloom filter based approach for pattern matching,called PBPM(Parallel-Bloom-filter-based multi-Pattern Matching).PBPM employs multiple copies of the same Bloom filter to carry out parallel matching on different positions of the input text at the same time.The fine-grained parallel approach is able to skip multiple characters per clock when implemented on FPGAs,dramatically improving pattern matching performance.Experimental results on the rule set from Snort 2.9 show that the throughput of PBPM exceeds more than 20Gbps.

Zhikai Zhang,Youjian Zhao,Guanghui Yang,Xiaoping Zhang

DOI: https://doi.org/10.1109/GLOCOM.2010.5683877

2010-01-01

Abstract:Traditional DFA based DPI (Deep Packet Inspection) string matching architectures either suffer from throughput bottleneck or unfeasible memory requirement, or both. Bloom Filter based schemes, on the other hand, only provide indefinite and unprecise match results. In this paper, we propose a novel string matching data structure called Overlapped Substring Classifier(OSC), which tries to compromise between these two ends. Instead of using incoming byte flow directly, we use OSC to extract the characteristic digest of the incoming string, which we demonstrate would be sufficient for locating a very small set of possible match, using DFA techniques. This type of match ambiguity and false-positive inaccuracy can be tuned to be negligible. The scheme is perfectly suitable for efficient and parallel hardware implementation, which makes ultra high performance and low memory usage simultaneously possible. A hardware architecture is also designed supporting single-threaded scanning rate of 10Gbp, with only moderate memory requirement and clock rate assumption.

Hassan Jalil Hadi,Khurram Shahzad,Naveed Ahmed,Yue Cao,Yasir Javed

DOI: https://doi.org/10.1109/trustcom60117.2023.00354

2024-01-01

Abstract:Pattern matching in Intrusion Detection Systems (IDS) is one of the most critical and time-consuming elements, allowing the system to make decisions based on the real-time threats across the network. A pattern-matching method can be software-based or hardware-based. In this paper, a hardware implementation of bit-split algorithm has been discussed for pattern matching in order to detect unwanted traffic for a maximum number of rulesets. A hardware-based string matching scheme has been preferred here due to its fast speed and quick data parallelism for the high-performance Intrusion Detection System (IDS). The prototype of the detection method is implemented on Spartan SP605 with a small number of rules. For a large number of rules, a multi-scale Field Programmable Gate Array (FPGA)-based hardware architecture has been implemented in which we have used NetFPGA-SUME. This FPGA board has examined incoming packets at a bit rate of 1.25 Gb/sec with an operational frequency of 156.25MHZ. Furthermore, high-level data parallelism has been implemented by instantiating more than one match engine for handling multiple packets to achieve high throughput (T p ).

Yaxuan Qi,Zongwei Zhou,Yiyao Wu,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5684120

2010-01-01

Abstract:With the continual growth of network speed and the increasing sophistication of network applications, keeping network operations efficient and secure becomes more challenging. Pattern matching is one of the key technologies for content-ware network processing, such as traffic classification, application identification and intrusion prevention. In this paper, we propose a hybrid pattern matching algorithm optimized for multi-core network processing platforms. As a system-level solution, our scheme focuses on both performance stability and hardware/software co-design. To verify the effectiveness of our design, the proposed algorithm is implemented on a state-of-art 16-MIPS-core network processing platform and evaluated with real-life data sets. Experimental results show that, when compared with the traditional Aho-Corasick algorithm, our hybrid solution saves 60~95% memory space while guarantees stable performance on large pattern sets and against adverse test traffic.

Gang He,Bo Sun,Yang Liu,Xiaochun Wu

DOI: https://doi.org/10.1109/icnidc.2012.6418760

2012-01-01

Abstract:The efficiency of multiple pattern matching is the core technology of Deep Packet Inspection and it is important to the real word of internet traffic analysis. In this research we propose a new multiple pattern matching technique for the fixed pattern in the packet load, which is called I-HASH multiple various position pattern matching algorithm. It is used to improve the matching speed through the preprocessing. Proposed algorithm is implemented in our experiments and compared with the existing method. The results demonstrate that our algorithm is much more effective than STRCMP algorithm, especially when the number of patterns is quiet large. This will be extraordinarily helpful in the areas of Internet application identification system and network intrusion detection system and so on, which contain huge amounts of fixed patterns.

Meiting Xue,Kainuo Ni,Yan Zeng,Yuyu Yin,Baokang Zhao

DOI: https://doi.org/10.1109/ngdn61651.2024.10744179

2024-01-01

Abstract:Deep Packet Inspection (DPI) serves as a critical tool for application-layer traffic detection and control, utilized extensively for the identification and prevention of cyberattacks, the interception of malware, and the monitoring of network traffic. With the rapid development of towards the integration of various network technologies through programmable technologies, the exploration of polymorphic network architectures has intensified and has been an important research directions. Nevertheless, existing DPI approaches are faced with significant challenges in dealing with the complexities of heterogenous networks and achieving timely detection in intricate environments. This paper introduces an innovative, efficient DPI methodology tailored for polymorphic networks. It incorporates a multi-set search algorithm, which hybridizes hash tables and cuckoo filters, enhancing search efficiency. Furthermore, an attack detection mechanism is developed, grounded in the concept of overload attacks, to accurately identify and respond to such threats. A mitigation strategy is proposed, leveraging the power of DPI, to effectively counteract the adverse effects of flow table overload attacks. Empirical evaluations confirm the proposed detection method suitability for networks, demonstrating a 2x-3x improvement in performance compared to conventional algorithms, along with a superior false positive rate. The attack detection and mitigation approach presented herein successfully withstands the onslaught of flow table overload attacks, reinforcing the resilience of polymorphic network environments.

Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1109/icccn.2011.6005927

2011-01-01

Abstract:Multi-pattern matching algorithm and architecture is critical for packet inspection based network security applications, especially for high speed network or large pattern sets. This paper presents a method to optimize the potential memory usage of DFA based algorithms for multi-pattern expression matching by the combining DFA's paths, named isomorphic path combination (IMPC). To achieve IMPC, a novel multi-pattern matching algorithm, called ACS, is proposed, which is based on CDFA. Compared to the algorithms on DFA, our method can reduce 78.6% states for Snort pattern set, which results in one of the most memory efficient methods. The most important is that our method is a kind of optimization and can be embedded to other algorithms as the second step for better results. Finally the architecture based on ACS is proposed and the experimental results show that 47.6% to 84.0% memory space can be saved for different size of pattern sets as compared to the best known architectures. The method is another one based on CDFA. It means that CDFA may be a more proper model for multi-pattern matching than other FAs.