Fengjun Shang,Xuezeng Pan

2007-01-01

Journal of Computational Information Systems

Abstract:The process of categorizing packets into 'flows' in an Internet router is called packet classification. All packets belonging to the same flow obey a pre-defined rule and are processed in a similar manner by the router. In general, packet classification on multiple fields is a difficult problem. In this paper, an algorithm is proposed called Hash Packet Classification based on Non-collision Hash and XOR Hash (NHXH). The NHXH algorithm introduces XOR operation to obtain a hash key value. The computation of an NHXH algorithm key value consists of three steps. Firstly, the non-collision hash function is structured, which is constructed mainly based on destination/source port and protocol type field so that the hash function usually can avoid space explosion problem. Secondly, the source/destination IP pairs are concatenated and then dividing the packet header into 4 chunks, each of which has 16bits in size. Thirdly, each chunk is mapped into stochastic space and XOR operation on the random number mapped 4 chunks. Because the stochastic space follows even distribution after XORing operation so that its collision rate is limitary. Lastly, every rule index is found in order to ensure the validity so that the final rule index is acquired. The test results show that the classification rate of NHXH algorithm is up to 2 million packets per second and the maximum memory consumed is 8MB for 10000 rules.

Zongwei Zhou,Yibo Xue,Junda Liu,Wei Zhang,Jun Li

DOI: https://doi.org/10.1007/978-3-540-77048-0_16

2007-01-01

Abstract:String matching algorithm is one of the key technologies in numerous network security applications and systems. Nowadays, the increasing network bandwidth and pattern set size both calls for high speed string matching algorithm for large-scale pattern set. This paper proposes a novel algorithm called Multi-phase Dynamic Hash (MDH), which cut down the memory requirement by multi-phase hash and explore valuable pattern set information to speed up searching procedure by dynamic-cut heuristics. The experimental results demonstrate that MDH can improve matching performance by 100% to 300% comparing with other popular algorithms, whereas the memory requirement stays in a comparatively low level.

Fangxin Liu,Wenbo Zhao,Yongbiao Chen,Zongwu Wang,Zhezhi He,Rui Yang,Qidong Tang,Tao Yang,Cheng Zhuo,Li Jiang

DOI: https://doi.org/10.1145/3489517.3530575

2022-01-01

Abstract:Deep hashing has gained growing momentum in large-scale image retrieval. However, deep hashing is computation- and memory-intensive, which demands hardware acceleration. The unique process of hash sequence computation in deep hashing is non-trivial to accelerate due to the lack of an efficient compute primitive for Hamming distance calculation and ranking. This paper proposes the first PIM-based scheme for deep hashing accelerator, namely PIM-DH. PIM-DH is supported by an algorithm and architecture co-design. The proposed algorithm seeks to compress the hash sequence to increase the retrieval efficiency by exploiting the hash code sparsity without accuracy loss. Further, we design a lightweight circuit to assist CAM to optimize hash computation efficiency. This design leads to an elegant extension of current PIM-based architectures for adapting to various hashing algorithms and arbitrary size of hash sequence induced by pruning. Compared to the state-of-the-art software framework running on Intel Xeon CPU and NVIDIA RTX2080 GPU, PIM-DH achieves an average 4.75E+03 speedup with 4.64E+05 energy reduction over CPU, 2.30E+02 speedup with 3.38E+04 energy reduction over GPU. Compared with PIM architecture CASCADE, PIM-DH can improve

Derek Chi-Wai Pao,Wei Lin,Bin Liu

DOI: https://doi.org/10.1145/1839667.1839672

2010-01-01

Abstract:With rapid advancement in Internet technology and usages, some emerging applications in data communications and network security require matching of huge volume of data against large signature sets with thousands of strings in real time. In this article, we present a memory-efficient hardware implementation of the well-known Aho-Corasick (AC) string-matching algorithm using a pipelining approach called P-AC. An attractive feature of the AC algorithm is that it can solve the string-matching problem in time linearly proportional to the length of the input stream, and the computation time is independent of the number of strings in the signature set. A major disadvantage of the AC algorithm is the high memory cost required to store the transition rules of the underlying deterministic finite automaton. By incorporating pipelined processing, the state graph is reduced to a character trie that only contains forward edges. Together with an intelligent implementation of look-up tables, the memory cost of P-AC is only about 18 bits per character for a signature set containing 6,166 strings extracted from Snort. The control structure of P-AC is simple and elegant. The cost of the control logic is very low. With the availability of dual-port memories in FPGA devices, we can double the system throughput by duplicating the control logic such that the system can process two data streams concurrently. Since our method is memory-based, incremental changes to the signature set can be accommodated by updating the look-up tables without reconfiguring the FPGA circuitry.

Miao Hou,YingHui Song,Dongliang Xu,Hongli Zhang

DOI: https://doi.org/10.1007/978-3-642-41674-3_122

2014-01-01

Abstract:With the increasing of network throughput, the size of pattern sets in Network Intrusion Detection System (NIDS) are growing gradually, how to reduce memory space of pattern sets has become one of the research hot spots. This paper presents a multi-pattern matching algorithm which combines the classical Aho-Corasick (AC) algorithm with Double Array Trie (DAT), called DAT-AC. We use two linear arrays to determine the state transition and decrease the memory space by reducing the unnecessary state transition. Experimental results demonstrate that DAT-AC performs better than the classical AC algorithm, when the number of pattern is larger than five thousand.

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Wei Lin,Bin Liu

DOI: https://doi.org/10.1109/ICPADS.2008.47

2008-01-01

Abstract:New applications such as real-time packet processing require high-speed string matcher, and the number of strings in pattern store is increasing to tens of thousands, which requires a memory efficient solution. In this paper, a pipelined parallel approach for hardware implementation of Aho-Corasick (AC) algorithm for multiple strings matching called P2-AC is presented. P2-AC organizes the transition rules in multiple stages and processes in pipeline manner, which significantly simplifies the DFA state transition graph into a character tree that only contains forwarding edges. In each stage, parallel SRAMs are used to store and access transition rules of DFA in memory. Transition rules can be efficiently stored and accessed in one cycle. The memory cost is less than 47% of the best known AC-based methods. P2-AC supports incremental update and scales well with the increasing number of strings. By employing two-port SRAMs, the throughput of P2-AC is doubled with little control overhead.

Ping Zeng,Qingping Tan,Xiankai Meng,Zeming Shao,Qinzheng Xie,Ying Yan,Wei Cao,Jianjun Xu

DOI: https://doi.org/10.1371/journal.pone.0175500

IF: 3.7

2017-01-01

PLoS ONE

Abstract:In this paper, based on our previous multi-pattern uniform resource locator (URL) binary-matching algorithm called HEM, we propose an improved multi-pattern matching algorithm called MH that is based on hash tables and binary tables. The MH algorithm can be applied to the fields of network security, data analysis, load balancing, cloud robotic communications, and so on-all of which require string matching from a fixed starting position. Our approach effectively solves the performance problems of the classical multi-pattern matching algorithms. This paper explores ways to improve string matching performance under the HTTP protocol by using a hash method combined with a binary method that transforms the symbol-space matching problem into a digital-space numerical-size comparison and hashing problem. The MH approach has a fast matching speed, requires little memory, performs better than both the classical algorithms and HEM for matching fields in an HTTP stream, and it has great promise for use in real-world applications.

Yu Jianming,Xue Yibo,Li Jun

DOI: https://doi.org/10.1016/s1007-0214(07)70137-2

2007-01-01

Tsinghua Science & Technology

Abstract:As the core algorithm and the most time consuming part of almost every modern network intrusion management system (NIMS), string matching is essential for the inspection of network flows at the line speed. This paper presents a memory and time efficient string matching algorithm specifically designed for NIMS on commodity processors. Modifications of the Aho-Corasick (AC) algorithm based on the distribution characteristics of NIMS patterns drastically reduce the memory usage without sacrificing speed in software implementations. In tests on the Snort pattern set and traces that represent typical NIMS workloads, the Snort performance was enhanced 1.48%-20% compared to other well-known alternatives with an automaton size reduction of 4.86-6.11 compared to the standard AC implementation. The results show that special characteristics of the NIMS can be used into a very effective method to optimize the algorithm design.

Dongliang Xu,Hongli Zhang,Miao Hou

DOI: https://doi.org/10.1007/978-3-319-11119-3_19

2014-01-01

Abstract:Network Intrusion Detection Systems (NIDS) have become widely recognized as powerful tools for identifying, deterring and deflecting malicious attacks over the network. New generations of network intrusion detection systems create the need for advanced pattern-matching engines. This paper proposes an improved AC algorithm, called Semi-AC. We contribute modifications to the Aho-Corasick string-matching algorithm that drastically reduce the amount of memory required. Its efficiency is close to the standard AC, but the space is saved 50% or more.

Baohua Sun,Yifu Li,Xiangzhan Yu,So-Zen Yao

DOI: https://doi.org/10.18178/wcse.2017.06.012

2017-01-01

Abstract:Multi-pattern matching is widely used in text retrieval, intrusion detection, information retrieval and many other areas.Aho-Corasick algorithm is a main method for multi-pattern matching for its high efficiency and stability.However, with the continuous expansion of the scale of the pattern set, Aho-Corasick algorithm faces the double test of memory consumption and the processing time.This paper summarizes several frequently used optimized methods of Aho-Corasick automaton, and proposes a new algorithm called BIT-AVL-AC, which is fused with the AVL tree and the bit vector.The experiments show that this algorithm provides a good trade-off between memory usage and processing speed with large-scale pattern sets.

Yang Xu,Zhaobo Liu,Zhuoyuan Zhang,H. Jonathan Chao

DOI: https://doi.org/10.1109/tnet.2013.2270441

2014-01-01

IEEE/ACM Transactions on Networking

Abstract:The emergence of new network applications, such as the network intrusion detection system and packet-level accounting, requires packet classification to report all matched rules instead of only the best matched rule. Although several schemes have been proposed recently to address the multimatch packet classification problem, most of them require either huge memory or expensive ternary content addressable memory (TCAM) to store the intermediate data structure, or they suffer from steep performance degradation under certain types of classifiers. In this paper, we decompose the operation of multimatch packet classification from the complicated multidimensional search to several single-dimensional searches, and present an asynchronous pipeline architecture based on a signature tree structure to combine the intermediate results returned from single-dimensional searches. By spreading edges of the signature tree across multiple hash tables at different stages, the pipeline can achieve a high throughput via the interstage parallel access to hash tables. To exploit further intrastage parallelism, two edge-grouping algorithms are designed to evenly divide the edges associated with each stage into multiple work-conserving hash tables. To avoid collisions involved in hash table lookup, a hybrid perfect hash table construction scheme is proposed. Extensive simulation using realistic classifiers and traffic traces shows that the proposed pipeline architecture outperforms HyperCuts and B2PC schemes in classification speed by at least one order of magnitude, while having a similar storage requirement. Particularly, with different types of classifiers of 4K rules, the proposed pipeline architecture is able to achieve a throughput between 26.8 and 93.1 Gb/s using perfect hash tables.

Junchen Jiang,Yi Tang,Bin Liu,Xiaofei Wang,Yang Xu

DOI: https://doi.org/10.1145/1882486.1882523

2009-01-01

Abstract:ABSTRACTDeterministic Finite Automaton (DFA) is well-known for its constant matching speed in worst case, and widely used in multi-string matching, which is a critical technique in high performance Network Intrusion Detection System (NIDS) design. Existing DFA-based researches achieve high throughput at the expense of extremely high memory cost, so they fail to be used in situations like embedded systems where very tight memory resource is available. In this paper, we propose a memory-efficient multi-string matching acceleration scheme named Synergic Parallel Compact (SPC) Match Engine, which can provide a high matching speedup with no extra memory cost than the traditional DFA. Our scheme can be understood as consisting of k SPC-FAs, each of which can process one character from the input stream, causing achieving a constant speedup factor k with reduced memory occupation. Experimental evaluations with Snort and ClamAV rulesets show that a speedup of 9X can be practically achieved by a single SPC Match Engine instance with a reduced memory size than the up-to-date DFA-based compression approaches.

Derek Chi-Wai Pao,Wei Lin,Bin Liu

DOI: https://doi.org/10.1109/l-ca.2008.5

IF: 2.3

2008-01-01

IEEE Computer Architecture Letters

Abstract:We present a pipelined approach to hardware implementation of the Aho-Corasick (AC) algorithm for string matching called P-AC. By incorporating pipelined processing, the state graph is reduced to a character trie that only contains forward edges. Edge reduction in P-AC is very impressive and is guaranteed algorithmically. For a signature set with 4434 strings extracted from the Snort rule set, the memory cost of P-AC is only 21.5 bits/char. The simplicity of the pipeline control plus the availability of 2-port memories allow us to implement two pipelines sharing the set of lookup tables on the same device. By doing so, the system throughput can be doubled with little overhead. The throughput of our method is up to 8.8 Gbps when the system is implemented using 550MHz FPGA.

AI Xin,TIAN Zhihong,ZHANG Hongli

2013-01-01

Abstract:The rapid growth of network traffic has brought new challenges to the deep packet inspection(DPI) technology;as a basic module,string matching algorithm greatly affects the performance of DPI.This paper optimizes the widely used multi-pattern matching AC algorithm by importing a balanced binary tree structure;it helps the algorithm to eliminate the useless state node of AC automaton,so it can accommodate the environment of large-scale pattern matching.The test results show that memory consumption of the optimized AVLAC algorithm is about 5% compared with the traditional AC algorithm when the pattern set comes to the 100 000 level.

Xun Li,Lishui Chen,Yazhe Tang

2020-01-01

Romanian journal of information science and technology

Abstract:High-speed content inspection relies on a fast multi-pattern matching algorithm to detect predefined rules. When the number of target rules becomes large, the memory requirements of the matching engine become a critical issue. An effective technique to design high-performance matching engines is to divide the target rule set into multiple subgroups and to use a parallel matching hardware unit for each subgroup. The key to this effective technique is how to find a strategy to divide subgroups. This paper proposes an effective rule classifying method referred to as HARD for heterogeneous bit-split string matching architectures. HARD uses the uniqueness of the target pattern to classify all target rule characters. This paper also presents a method to estimate the distance between strings in unique pattern category. The distance formula is next used to find a class for each rule. Furthermore, each class will be processed on different sizes of finite state machine. The experimental results show that the more the number of rules in the rule set, the more obvious the effect of HARD. In popular data sets, when the number of rules is above 4000, HARD can save nearly 50% of memory consumption compared to the previous bit-split string matching methods mentioned in the paper.

Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1145/1882486.1882507

2009-01-01

Abstract:Multiple pattern matching architecture is critical for content inspection based network security applications, especially for high speed network or large pattern sets. This paper presents a method to optimize the potential memory usage for multiple string or regular expression matching by the idea of combining DFA's paths, named isomorphic path combination (IMPC). To achieve IMPC, a novel multiple pattern matching algorithm is proposed, which is based on Cached DFA (CDFA). Compared to extended AC algorithm based on DFA, our method on CDFA can reduce 78.6% states for Snort pattern set, which results in one of the most memory efficient methods. More important is that our method can be embedded to other algorithms as the optimization.

Wei Zhang,Yibo Xue,Zongwei Zhou,Dongsheng Wang

DOI: https://doi.org/10.3772/j.issn.1002-0470.2009.06.001

2009-01-01

Abstract:In view of the problem that the performance of the classical pattern matching (one of the key technologies for network and information security systems) algorithms degrades seriously when the patterns become large, especially over 50000, this paper proposes a new architectural large-scale pattern matching algorithm (ALPM) for large-scale pattern sets. Based on the shift concept of the classical Wu-Manber (WM) algorithm and combined with its features of hardware architecture, the ALPM adopts several pre-processing and matching strategies, such as utilizing two different Hash functions to access the Shift and hash tables, optimizing pre-processing to choose the best entry signs from patterns for the two tables and adjusting the Hash confliction dynamically with the Cache size and the pattern quantity, to improve the matching performance. The experimental results show that for the large-scale pattern set, the matching performance of the ALPM is 5-10 times higher than that of the classical WM.

Mohammad Hashem Haghighat,Zhe Fu,Jun Li

DOI: https://doi.org/10.1145/3234664.3234669

2018-01-01

Abstract:Several security devices use signature based detection engine to detect malicious activities through the internet. The main challenge of this scenario is to keep up with the increase of line speed. On one hand, regular expression (regex) patterns allow security analysts to express more complicated attacks. On the other hand, they make pattern matching procedure much more costly. Several finite automata based techniques have been proposed to speed up the matching procedure. However, they are still impractical in the real world, due to their high spatial or temporal complexity.In this paper, a novel technique, called HES, is proposed to handle tens of thousands regex patterns, with minimum space limitation. The experimental results over several rule sets including Snort and Bro, as two leading open source intrusion detection systems, as well as random regex patterns, reveals us HES matched patterns significantly faster than DFA, as one of the fastest state-of-the-art techniques. In addition, the HES storage requirement is close to NFA, which leads as one of the most compact method. These results proved that HES can be used in the real world, as a signature based matching engine, and gives us the power to use more regex patterns.

Alan Kennedy,Xiaojun Wang,Zhen Liu,Bin Liu

DOI: https://doi.org/10.1109/date.2010.5457172

2010-01-01

Abstract:Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA.