YangBaohua,FongJeffrey,JiangWeirong,XueYibo,LiJun

IF: 3.183

2014-01-01

IEEE Transactions on Computers

Abstract:Multituple packet classification is one of the key technologies, and often the performance bottleneck in modern network devices. Devices such as firewalls demand fast packet classification on very ...

Longlong Zhu,Jiashuo Yu,Long Huang,Linying Zheng,Jinpfeng Pan,Zhengyan Zhou,Hanze Chen,Dong Zhang,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.1109/icc45041.2023.10278977

2023-01-01

Abstract:Packet classification is a crucial component in computer networking. To achieve high throughput and low memory consumption, existing solutions apply different heuristics in each construction stage to build efficient decision trees. However, previous studies divide the tree construction process based on the scale of rule subsets which is indirect to the performance goal, leading to massive rule replication and high tree depth. In this paper, we propose MiCuts, a fine-grained framework for packet classification with both high speed and low memory footprint. Its key idea is directly utilizing rule replication and tree depth to divide the tree-building process into three stages, each with suitable optimization goals. First, it partitions rules and builds shallow semi-trees without rule replication via selecting effective bits. Second, it transforms the switching problem of heuristics into an ILP problem and aims to minimize memory consumption while ensuring high lookup speed. Third, it merges some nodes to eliminate memory explosion caused by splitting, where MiCuts combines splitting and linear search. Extensive experimental results on ClassBench show that MiCuts outperforms state-of-the-art approaches, improving lookup speed by 1.71× while reducing memory footprint by 74.4% on average.

Baohua Yang,Yaxuan Qi,Fei He,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/infcomw.2009.5072130

2009-01-01

Abstract:Packet classification is still a challenging problem in practice under large number of classification rules and constant growth of performance requirement. Most of the existing algorithms try to solve the problem heuristically by leveraging on the inherent field-level characteristics of the rules. This paper proposes a bit-level heuristic framework: Discrete Bit Selection (DBS) for multi-dimensional packet classification. Preliminary experimental results show that DBS-based algorithm gains much better performance both in search time and memory requirement than the well-known field-level algorithms with various real-life rule sets.

Baohua Yang,Xiang Wang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/ICPADS.2009.53

2009-01-01

Abstract:Packet classification is one of the most critical techniques in many network devices such as firewall, IDS and IPS, etc. In order to meet the performance requirement for high speed Internet (even higher than 10 Gbps), practical algorithms must keep better spatial and temporal performance. Moreover, as the size of rule set is increasing to tens of thousands, novel packet classification algorithms must have good scalability. In this paper, we propose a novel packet classification algorithm named DBS (discrete bit selection) which takes a bit level heuristic design to partition the rule set effectively. To the best of our knowledge, DBS is the first try to design a heuristic classification algorithm at bit-level. To evaluate the performance of our algorithm, DBS is deployed on a popular multi-core network processor platform, compared with two existing well-known algorithms. Experimental results show that DBS achieves 300% higher throughput than HiCuts and HSM, while the memory requirement is reduced to about 10% averagely. DBS works well especially with large rule set (10K), which trends a good scalability.

Jiashuo Yu,Long Huang,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/ISCC58397.2023.10218304

2023-01-01

Abstract:Packet classification is an essential part of computer networks. Existing algorithms propose a partition process to address the memory explosion problem of the decision tree algorithm caused by the huge number of rules with multiple fields. However, the search process requires traversing multiple trees generated by the partition, which reduces the search efficiency. The existing algorithms take simple approaches to optimize the search process, which is low efficiency or high hardware overhead. In this paper, we propose DTRadar, a framework for expediting the decision tree packet lookup process. Its key idea is building an abstract One-Big-Tree(OBT) for multiple decision trees by establishing the middle data structure. DTRadar considers each decision tree as a splittable tree and organizes these subtrees by intermediate data structures. Extensive experiments show that DTRadar benefits existing decision tree-based solutions in classification time by 61.60%, and the memory footprint only increased by 4.21% on average.

Yaxuan Qi,Jun Li

2006-01-01

Abstract:Multidimensional Packet Classification is one of the most critical functions for network security devices such as firewalls and intrusion detection systems. Due to the worst case bounds found in computational geometry, most of the existing algorithms for multidimensional packet classification trade memory usage for search speed in order to achieve better overall performance. Although some of these algorithms are proved to be efficient on small number of classification rules, they scale poorly in either search time or memory usage when the number of rules grows. In this paper, we propose an efficient hybrid algorithm named sBits, which combines the advantages of two best existing algorithms, RFC and HiCuts. Compared to RFC and HiCuts, sBits uses 10 to 400 times less memory storage and 30% to 50% less time in worst case search. sBits also reduces the heavy computational burden in pre-processing. Its full update time is 10 to 100 times less than RFC and HiCuts.

Zhengyu Liao,Shiyou Qian,Zhonglong Zheng,Jiange Zhang,Jian Cao,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/tnet.2024.3452780

2024-01-01

Abstract:Packet classification, as a crucial function of networks, has been extensively investigated. In recent years, the rapid advancement of software-defined networking (SDN) has introduced new demands for packet classification, particularly in supporting dynamic rule updates and fast lookup. This paper presents a novel structure called DBTable for efficient packet classification to achieve high overall performance. DBTable integrates the strengths of conventional packet classification methods and neural network concepts. Within DBTable, a straightforward indexing scheme is proposed to eliminate rule replication, thereby ensuring high update performance. Additionally, we propose an iterative method for generating a discriminative bitset (DBS) to evenly partition rules. By utilizing the DBS, rules can be efficiently mapped in a hash table, thus achieving exceptional lookup performance. Moreover, DBTable incorporates a hybrid structure to further optimize the worst-case lookup performance, primarily caused by data skewness. The experiment results on 12 256k rulesets show that, compared to seven state-of-the-art schemes, DBTable achieves an overall lookup speed improvement ranging from 1.53x to 7.29x, while maintaining the fastest update speed.

Yang Xu,Zhaobo Liu,Zhuoyuan Zhang,H. Jonathan Chao

DOI: https://doi.org/10.1109/tnet.2013.2270441

2014-01-01

IEEE/ACM Transactions on Networking

Abstract:The emergence of new network applications, such as the network intrusion detection system and packet-level accounting, requires packet classification to report all matched rules instead of only the best matched rule. Although several schemes have been proposed recently to address the multimatch packet classification problem, most of them require either huge memory or expensive ternary content addressable memory (TCAM) to store the intermediate data structure, or they suffer from steep performance degradation under certain types of classifiers. In this paper, we decompose the operation of multimatch packet classification from the complicated multidimensional search to several single-dimensional searches, and present an asynchronous pipeline architecture based on a signature tree structure to combine the intermediate results returned from single-dimensional searches. By spreading edges of the signature tree across multiple hash tables at different stages, the pipeline can achieve a high throughput via the interstage parallel access to hash tables. To exploit further intrastage parallelism, two edge-grouping algorithms are designed to evenly divide the edges associated with each stage into multiple work-conserving hash tables. To avoid collisions involved in hash table lookup, a hybrid perfect hash table construction scheme is proposed. Extensive simulation using realistic classifiers and traffic traces shows that the proposed pipeline architecture outperforms HyperCuts and B2PC schemes in classification speed by at least one order of magnitude, while having a similar storage requirement. Particularly, with different types of classifiers of 4K rules, the proposed pipeline architecture is able to achieve a throughput between 26.8 and 93.1 Gb/s using perfect hash tables.

Yang Xu,Zhaobo Liu,Zhuoyuan Zhang,H. Jonathan Chao

DOI: https://doi.org/10.1145/1882486.1882537

2009-01-01

Abstract:ABSTRACTThe emergence of new network applications like network intrusion detection system, packet-level accounting, and load-balancing requires packet classification to report all matched rules, instead of only the best matched rule. Although several schemes have been proposed recently to address the multi-match packet classification problem, most of them require either huge memory or expensive Ternary Content Addressable Memory (TCAM) to store the intermediate data structure, or suffer from steep performance degradation under certain types of classifiers. In this paper, we decompose the operation of multi-match packet classification from the complicated multi-dimensional search to several single-dimensional searches, and present an asynchronous pipeline architecture based on a signature tree structure to combine the intermediate results returned from single-dimensional searches. By spreading edges of the signature tree in multiple hash tables at different stages of the pipeline, the pipeline can achieve a high throughput via the inter-stage parallel access to hash tables. To exploit further intra-stage parallelism, two edge-grouping algorithms are designed to evenly divide the edges associated with each stage into multiple work-conserving hash tables with minimum overhead. Extensive simulation using realistic classifiers and traffic traces shows that the proposed pipeline architecture outperforms HyperCut and B2PC schemes in classification speed by at least one order of magnitude, while with a similar storage requirement. Particularly, with different types of classifiers of 4K rules, the proposed pipeline architecture is able to achieve a throughput between 19.5 Gbps and 91 Gbps.

FU Ge,GU Chun-hua,LI Fei

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.11.015

2006-01-01

Abstract:we present packet classification algorithm based on bitmap and tuple space.It can process input packets at wire speed by router.This algorithm reduces time and space complexity.Furthermore,it can scale well with the growth of the experimental data.

Yeim-Kuan Chang,Hsin-Mao Chen

DOI: https://doi.org/10.1093/comjnl/bxad132

2024-02-02

The Computer Journal

Abstract:Abstract Multi-dimensional packet classification is one of the most important functions to support various services in next generation routers. Both the memory-efficient data structure to support larger rule tables and the hardware architecture to achieve a higher throughput are desired. In this paper, we propose a parallel and pipelined architecture called Set-Pruning Segment Trees with Buckets (SPSTwB) for multi-dimensional packet classification. SPSTwB significantly reduces rule duplication based on a novel partitioning scheme and an efficient bucket merging scheme. The key feature of our proposed architecture is that memory consumption is reduced significantly regardless of the characteristics of various rule tables. In addition, the logic complexity of each pipeline stage is simplified by not storing rule IDs and priorities and thus it can run at a high clock rate. The proposed scheme needs less than 20 bytes per rule for various 100 K rule tables generated by ClassBench. In addition, the proposed scheme supports fast incremental rule update. The proposed pipelined architecture can achieve a throughput of 134 Gbps from the implementation on Xilinx Virtex-7 FPGA device with dual-ported Block RAM.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Yaxuan Qi,Lianghong Xu,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/infcom.2009.5061972

2009-01-01

Abstract:During the past decade, the packet classification problem has been widely studied to accelerate network applications such as access control, traffic engineering and intrusion detection. In our research, we found that-although a great number of packet classification algorithms have been proposed in recent years, unfortunately most of them stagnate in mathematical analysis or software simulation stages and few of them have been implemented in commercial products as a generic solution. To fill the gap between theory and practice, in this paper, we propose a novel packet classification algorithm named HyperSplit. Compared to the well-known HiCuts and HSM algorithms, HyperSplit achieves superior performance in terms of classification speed, memory usage and preprocessing time. The practicability of the proposed algorithm is manifested by two facts in our test: HyperSplit is the only algorithm that can successfully handle all the rule sets; HyperSplit is also the only algorithm that reaches more than 6Gbps throughput on the Octeon3860 multi-core platform when tested with 64-byte Ethernet packets against 10K ACL rules.

LQ Tian,C Lin,ZX Tan

DOI: https://doi.org/10.1109/icct.2003.1209079

2003-01-01

Abstract:Performing classification quickly on multi-fields is known to be difficult, and has poor worst-case performance. In this paper, we present a solution to the problem of rapidly classifying packets. Our approach is mainly based on classifier's characteristic, which was named as PCBCC (packet classification based on classifier characteristic), and has the characteristics of high speed, multi-dimensions and modest memory requirements of the network processor. We have implemented this algorithm on Intel IXP1200 network processor and performance evaluation results are provided.

Yaxuan Qi,Jeffrey Fong,Weirong Jiang,Bo Xu,Jun Li,Viktor K. Prasanna

DOI: https://doi.org/10.1109/fpt.2010.5681492

2010-01-01

Abstract:Multi-dimensional packet classification is a key task in network applications, such as firewalls, intrusion prevention and traffic management systems. With the rapid growth of network bandwidth, wire speed multi-dimensional packet classification has become a major challenge for next-generation network processing devices. In this paper, we present a FPGA-based architecture targeting 100 Gbps packet classification. Our solution is based on HyperSplit, a memory-efficient tree search algorithm. First, we present an efficient pipeline architecture for mapping HyperSplit tree. Special logic is designed to support two packets to be processed every clock cycle. Second, a node-merging algorithm is proposed to reduce the number of pipeline stages without significantly increasing the memory requirement. Third, a leaf-pushing algorithm is designed to control the memory usage and to support on-the-fly rule update. The implementation results show that our architecture can achieve more than 100 Gbps throughput for the 64-byte minimum Ethernet packets. With a single Virtex-6 chip, our approach can handle over 50K rules. Compared with the state-of-the-art multi-core network processor based solutions, our FPGA design offers at least a 10x improvement in throughput performance.

Wei Li,Weibin Zheng,Juanjuan Lin,Xiaohong Guan,Ling Li,Sohail S. Chaudhry,Pan Wang,Yanping Liu

DOI: https://doi.org/10.1111/j.1468-0394.2010.00563.x

IF: 3.3

2010-01-01

Expert Systems

Abstract:Modern Internet routers have to handle a large number of packet classification rules, which requires classification schemes to be scalable both in time and space. In this paper, we present a scalable packet classification algorithm that is developed by combining two new concepts to the well-known bit vector (BV) scheme. We propose a range search method based on a cache-aware tree (CATree) which makes full use of processor's cache line to reduce the number of dynamic random access memory (DRAM) accesses. Theoretically, the number of DRAM accesses of CATree is about log(m + 1) times lower than that of the widely used binary search algorithm, where m is the number of keys in a single cache line. Based on our computational results on a set of 1024 keys, the CATree algorithm is 36% faster than binary search algorithm and the performance is better when applied to a larger set of keys. In addition, we develop a rule re-arrangement algorithm to reduce the bitmap space of BV. With this rearrangement, the rules for the same action may be assigned an identical priority. This reduces the number of priorities as well as the memory space of the bitmap. Furthermore, this also reduces the number of memory accesses and hence, increases the CPU cache utilization. With CATree and rule re-arrangement, the cache-aware bit vector with rule re-arrangement algorithm achieves better performance in comparison with the regular BV scheme, both in space and time. In our experiments, the proposed algorithm reduces the bitmap memory space of a practical set of firewall rules by two orders of magnitude and is 91% faster than the regular BV.

Haipeng Cheng,Zheng Chen,Bei Hua,Xinan Tang

DOI: https://doi.org/10.1145/1345206.1345214

2008-01-01

Abstract:Packet classification is an enabling technology to support advanced Internet services. It is still a challenge for a software solution to achieve 10Gbps (line-rate) classification speed. This paper presents a classification algorithm that can be efficiently implemented on a multi-core architecture with or without cache. The algorithm embraces the holistic notion of exploiting application characteristics, considering the capabilities of the CPU and the memory hierarchy, and performing appropriate data partitioning. The classification algorithm adopts two stages: searching on a reduction tree and searching on a list of ranges. This decision is made based on a classification heuristic: the size of the range list is limited after the first stage search. Optimizations are then designed to speed up the two-stage execution. To exploit the speed gap (1) between the CPU and external memory; (2) between internal memory (cache) and external memory, an interpreter is used to trade the CPU idle cycles with demanding memory access requirements. By applying the CISC style of instruction encoding to compress the range expressions, it not only significantly reduces the total memory requirement but also makes effective use of the internal memory (cache) bandwidth. We show that compressing data structures is an effective optimization across the multi-core architectures.We implement this algorithm on both Intel IXP2800 network processor and Core 2 Duo X86 architecture, and experiment with the classification benchmark, ClassBench. By incorporating architecture-awareness in algorithm design and taking into account the memory hierarchy, data partitioning, and latency hiding in algorithm implementation, the resulting algorithm shows a good scalability on Intel IXP2800. By effectively using the cache system, the algorithm also runs faster than the previous fastest RFC on the Core 2 Duo architecture.

Jiaqi Gao,Xiaoguang Hu,Jun Li

2015-01-01

Abstract:Packet classification is one of the core techniques in network devices such as firewall, IDS and IPS. Tens of thousands of rules pose great pressure on classification algorithm in terms of memory requirements and throughput. In this paper, a new packet classification algorithm, named Fixed-Length Compression Bit Vector (FLCBV), is proposed based on the compression scheme FLC. Compared with traditional algorithms, FLC is more adaptive to network environment, especially in large scale ruleset and multi-field packet header. Experimental results demonstrate that FLCBV takes only 65% of memory compared with traditional compression algorithms without losing much throughput.

Duo Liu,Zheng Chen,Bei Hua,Nenghai Yu,Xinan Tang

DOI: https://doi.org/10.1145/1331331.1331340

2008-01-01

ACM Transactions on Embedded Computing Systems

Abstract:Packet classification is crucial for the Internet to provide more value-added services and guaranteed quality of service. Besides hardware-based solutions, many software-based classification algorithms have been proposed. However, classifying at 10 Gbps speed or higher is a challenging problem and it is still one of the performance bottlenecks in core routers. In general, classification algorithms face the same challenge of balancing between high classification speed and low memory requirements. This paper proposes a modified recursive flow classification (RFC) algorithm, Bitmap-RFC, which significantly reduces the memory requirements of RFC by applying a bitmap compression technique. To speed up classifying speed, we exploit the multithreaded architectural features in various algorithm development stages from algorithm design to algorithm implementation. As a result, Bitmap-RFC strikes a good balance between speed and space. It can significantly keep both high classification speed and reduce memory space consumption. This paper investigates the main NPU software design aspects that have dramatic performance impacts on any NPU-based implementations: memory space reduction, instruction selection, data allocation, task partitioning, and latency hiding. We experiment with an architecture-aware design principle to guarantee the high performance of the classification algorithm on an NPU implementation. The experimental results show that the Bitmap-RFC algorithm achieves 10 Gbps speed or higher and has a good scalability on Intel IXP2800 NPU.

孙清,张德运,何晖,李金库

2009-01-01

Abstract:A fast multifields packet classification algorithm base on the parallel process ability of network processor is presented in this paper. In order to let the parallel algorithm provide high performance, this paper pretreat the packet filter rules in library in a meaningful way. Then divide rules into several clusters according to the corresponding feature of one kind of network processor. After that, an optimized three value trie tree method is emploied to encode each rule into shorter bit string. By the help of this method, the problem of rule expansion while rule encoding had been successfully solved. Only need one hash search and one time rule match in this algorithm, so it provide an efficient way to handle multi-dimensional packet classification.

Alan Kennedy,Zhen Liu,Xiaojun Wang,Bin Liu

DOI: https://doi.org/10.1109/icccn.2009.5235260

2009-01-01

Abstract:As line rates increase, the task of designing high performance architectures with reduced power consumption for the processing of router traffic remains important. In this paper, we present a multi-engine packet classification hardware accelerator, which gives increased performance and reduced power consumption. It follows the basic idea of decision-tree based packet classification algorithms, such as HiCuts and HyperCuts, in which the hyperspace represented by the ruleset is recursively divided into smaller subspaces according to some heuristics. Each classification engine consists of a Trie Traverser which is responsible for finding the leaf node corresponding to the incoming packet, and a Leaf Node Searcher that reports the matching rule in the leaf node. The packet classification engine utilizes the possibility of ultra-wide memory word provided by FPGA block RAM to store the decision tree data structure, in an attempt to reduce the number of memory accesses needed for the classification. Since the clock rate of an individual engine cannot catch up to that of the internal memory, multiple classification engines are used to increase the throughput. The implementations in two different FPGAs show that this architecture can reach a searching speed of 169 million packets per second (mpps) with synthesized ACL, FW and IPC rulesets. Further analysis reveals that compared to state of the art TCAM solutions, a power savings of up to 72% and an increase in throughput of up to 27% can be achieved.