Yi Tang,Junchen Jiang,Xiaofei Wang,Chengchen Hu,Bin Liu,Zhijia Chen

DOI: https://doi.org/10.1587/transinf.E93.D.3232

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Multi pattern matching is a key technique for Implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against tens of thousands of predefined attack signatures written in regular expressions (regexes) To this end Deterministic Finite Automaton (DFA) is widely used for multi regex matching but existing DFA based researches have claimed high throughput at an expense of extremely high memory cost so fail to be employed in devices such as high speed routers and em bedded systems where the available memory is quite limited In this paper we propose a parallel architecture of DFA called Parallel DFA (PDFA) taking advantage of the large amount of concurrent flows to increase the throughput with nearly no extra memory cost The basic Idea is to selectively store the underlying DFA in memory modules that can be accessed in parallel To explore its potential parallelism we intensively study DFA split schemes from both state and transition points in this paper The performance of our approach in both the average cases and the worst cases is analyzed optimized and evaluated by numerical results The evaluation shows that we obtain an average speedup of 100 times compared with traditional DFA based matching approach

Yi Tang,Junchen Jiang,Xiaofei Wang,Yi Wang,Bin Liu

DOI: https://doi.org/10.1109/glocom.2010.5683142

2010-01-01

Abstract:Regular expression (Regex) becomes the standard signature language for security and application detection. Deterministic finite automata (DFAs) are widely used to perform regex matching in linear time. Previously researches mostly focus on how to compress DFA to reduce memory requirements in recent years. However, memory requirement is not the only problem caused by DFA explosion when implementation DFA matching system. In this paper, we propose a new issue in DFA matching procedure. We notice that the DFA produced from regex never considers the physical locality of logical neighbor, which results in a low cache hit rate when using cache as matching accelerator. This problem becomes severe for current increasingly complex security regex which producing huge DFA with nearly no locality in physical location. We propose to solve this problem through reordering the state number of existing DFA and further put forward two methods on reordering DFA from different viewpoints. In our algorithms, we achieve more than twice cache hit rate compared with traditional method. Moreover, our methods will not affect the existing matching system. Hence, all the cache hit rate improvement is achieved without any cost in wire speed matching.

Yi-fan HE,Guo-yin XU,Hai-bin SHEN

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.01.042

2007-01-01

Abstract:In order to improve the performance of pattern-matching module in NIDS, an efficient engine for multi-gigabit rate, line-speed pattern-matching is proposed after analyzing a large amount of related work. By grouping and evenly storing patterns into CAM or TCAM according to their lengths and amount, as well as using payload-switching technique, this engine not only reaches multi-gigabit rate performance, but also has high storage efficiency. System performance can be improved further by using multiple process modules in parallel. In a 200 MHz Clock implementation, system throughput can reach more than 6 Gbit/s.

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1109/icccn.2011.6005927

2011-01-01

Abstract:Multi-pattern matching algorithm and architecture is critical for packet inspection based network security applications, especially for high speed network or large pattern sets. This paper presents a method to optimize the potential memory usage of DFA based algorithms for multi-pattern expression matching by the combining DFA's paths, named isomorphic path combination (IMPC). To achieve IMPC, a novel multi-pattern matching algorithm, called ACS, is proposed, which is based on CDFA. Compared to the algorithms on DFA, our method can reduce 78.6% states for Snort pattern set, which results in one of the most memory efficient methods. The most important is that our method is a kind of optimization and can be embedded to other algorithms as the second step for better results. Finally the architecture based on ACS is proposed and the experimental results show that 47.6% to 84.0% memory space can be saved for different size of pattern sets as compared to the best known architectures. The method is another one based on CDFA. It means that CDFA may be a more proper model for multi-pattern matching than other FAs.

Jing Lin,Weiwei Lin,Hang Lin,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1016/j.comnet.2024.110662

IF: 5.493

2024-01-01

Computer Networks

Abstract:Regular expression matching is pivotal in numerous network applications. With the ever-increasing scale of data center traffic, deploying regular expression matching modules on traditional servers struggles to meet throughput demands. Emerging programmable switches have brought new prospects for high-speed pattern matching. However, deploying regular expression matching onto programmable switches presents the challenge of space explosion incurred by compiling regular expressions into a Deterministic Finite Automata (DFA). In this paper, we introduce P4Rex, a regular expression matching system designed for programmable switches. P4Rex synergistically leverages two following techniques: an efficient regular expression grouping algorithm that partitions regular expressions into different groups to reduce memory consumption, and DFA compression technology to achieve transition sharing. Experimental results demonstrate that P4Rex exhibits an average improvement of 17% and maximum improvement of 30% on memory consumption compared to prior regular expression grouping schemes and saves more than 10x memory consumption compared to deploying DFA directly on programmable switch.

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/icc.2011.5963289

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content to a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to hardware or high-speed memory where memory resources are limited. In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called StriD2FA. In the instance of LBM that we realize, 10-15 speedup is reasonable while the memory is much smaller than traditional DFA.

Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1145/1882486.1882507

2009-01-01

Abstract:Multiple pattern matching architecture is critical for content inspection based network security applications, especially for high speed network or large pattern sets. This paper presents a method to optimize the potential memory usage for multiple string or regular expression matching by the idea of combining DFA's paths, named isomorphic path combination (IMPC). To achieve IMPC, a novel multiple pattern matching algorithm is proposed, which is based on Cached DFA (CDFA). Compared to extended AC algorithm based on DFA, our method on CDFA can reduce 78.6% states for Snort pattern set, which results in one of the most memory efficient methods. More important is that our method can be embedded to other algorithms as the optimization.

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content against a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to software-based or hardware-based implementation where the memory resources are limited.In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called Stride-DFA (StriD(2)FA). In the instance of LBM that we realize, a speedup of 10-15 is achievable while the required memory size is much less than that in the traditional DFA.

Hang Lint,Weiwei Lint,Jing Lint,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iscc58397.2023.10218028

2023-01-01

Abstract:Pattern matching is an important technology applied to many security applications. Most network service providers choose to compress network traffic for better transmission, which brings the challenges of compressed traffic matching. However, existing works focus on improving the performance of uncompressed traffic matching or only realize the compressed traffic matching on end-host that can not keep pace with the dramatic increase in traffic. In this paper, we present P4CTM, a proof-of-concept method to conduct efficient compressed traffic matching on the programmable data plane. P4CTM uses the two-stage scan scheme to skip some bytes of compressed traffic, the 2-stride DFA combines with the compression algorithm to condense the state space, and the wildcard match to downsize the match action tables in the programmable data plane. The experiment indicates that P4CTM skips 83.10% bytes of compressed traffic, condenses the state space by order of magnitude, and reduces most of the table entries.

Junchen Jiang,Yi Tang,Bin Liu,Xiaofei Wang,Yang Xu

DOI: https://doi.org/10.1145/1882486.1882523

2009-01-01

Abstract:ABSTRACTDeterministic Finite Automaton (DFA) is well-known for its constant matching speed in worst case, and widely used in multi-string matching, which is a critical technique in high performance Network Intrusion Detection System (NIDS) design. Existing DFA-based researches achieve high throughput at the expense of extremely high memory cost, so they fail to be used in situations like embedded systems where very tight memory resource is available. In this paper, we propose a memory-efficient multi-string matching acceleration scheme named Synergic Parallel Compact (SPC) Match Engine, which can provide a high matching speedup with no extra memory cost than the traditional DFA. Our scheme can be understood as consisting of k SPC-FAs, each of which can process one character from the input stream, causing achieving a constant speedup factor k with reduced memory occupation. Experimental evaluations with Snort and ClamAV rulesets show that a speedup of 9X can be practically achieved by a single SPC Match Engine instance with a reduced memory size than the up-to-date DFA-based compression approaches.

Xiaofei Wang,Yang Xu,Junchen Jiang,Olga Ormond,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/JSYST.2013.2244791

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Deep packet inspection has become a key component in network intrusion detection systems (NIDSes), where every packet in the incoming data stream needs to be compared with patterns in an attack database, byte-by-byte, using either string matching or regular expression matching. Regular expression matching, despite its flexibility and efficiency in attack identification, brings significantly high computation and storage complexities to NIDSes, making line-rate packet processing a challenging task. In this paper, we present stride finite automata (StriFA), a novel finite automata family, to accelerate both string matching and regular expression matching. Different from conventional finite automata, which scan the entire traffic stream to locate malicious information, a StriFA only needs to scan a partial traffic stream to find suspicious information. The presented StriFA technique has been implemented in software and evaluated based on different traces. The simulation results show that the StriFA acceleration scheme offers an increased speed over traditional nondeterministic finite automaton/deterministic finite automaton, while at the same time reducing the memory requirement.

Wei Lin,Yi Tang,Bin Liu,Derek Pao,XiaoFei Wang

DOI: https://doi.org/10.1109/icc.2009.5198833

2009-01-01

Abstract:New applications such as real-time deep packet inspection require high-speed regular expression (regex) matcher, and the number of regexes in pattern store is increasing to several thousands, which requires a memory efficient solution. In this paper, a kind of hardware based compact DFA structure for multiple regexes matching called CPDFA is presented. According to statistics of regexes in Snort and L7-filter rules, transitions from each state to its next states are not evenly distributed. The summation of transitions from each state to its top three most popular next states takes about 90% of all the transitions. Therefore, CPDFA employs an indirect index table to represent transitions to top three most popular next states more efficiently. The remaining transitions which take about 10% of all the transitions are stored in direct transition table or K parallel SRAMs according to the number of remaining transitions from the same state is more than K or not. Simulation shows that CPDFA structure can save about 90% of memory storage comparing with the original DFA structure. By using pipelined architecture in FPGA, CPDFA can advance one character in one memory access cycle.

Zhikai Zhang,Youjian Zhao,Guanghui Yang,Xiaoping Zhang

DOI: https://doi.org/10.1109/GLOCOM.2010.5683877

2010-01-01

Abstract:Traditional DFA based DPI (Deep Packet Inspection) string matching architectures either suffer from throughput bottleneck or unfeasible memory requirement, or both. Bloom Filter based schemes, on the other hand, only provide indefinite and unprecise match results. In this paper, we propose a novel string matching data structure called Overlapped Substring Classifier(OSC), which tries to compromise between these two ends. Instead of using incoming byte flow directly, we use OSC to extract the characteristic digest of the incoming string, which we demonstrate would be sufficient for locating a very small set of possible match, using DFA techniques. This type of match ambiguity and false-positive inaccuracy can be tuned to be negligible. The scheme is perfectly suitable for efficient and parallel hardware implementation, which makes ultra high performance and low memory usage simultaneously possible. A hardware architecture is also designed supporting single-threaded scanning rate of 10Gbp, with only moderate memory requirement and clock rate assumption.

Jiashuo Yu,Long Huang,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/ISCC58397.2023.10218304

2023-01-01

Abstract:Packet classification is an essential part of computer networks. Existing algorithms propose a partition process to address the memory explosion problem of the decision tree algorithm caused by the huge number of rules with multiple fields. However, the search process requires traversing multiple trees generated by the partition, which reduces the search efficiency. The existing algorithms take simple approaches to optimize the search process, which is low efficiency or high hardware overhead. In this paper, we propose DTRadar, a framework for expediting the decision tree packet lookup process. Its key idea is building an abstract One-Big-Tree(OBT) for multiple decision trees by establishing the middle data structure. DTRadar considers each decision tree as a splittable tree and organizes these subtrees by intermediate data structures. Extensive experiments show that DTRadar benefits existing decision tree-based solutions in classification time by 61.60%, and the memory footprint only increased by 4.21% on average.

Yang Li,Zheng Li,Nenghai Yu,Ke Ma

DOI: https://doi.org/10.1007/978-3-642-10665-1_48

2009-01-01

Abstract:Security in cloud computing is getting more and more important recently. Besides passive defense such as encryption, it is necessary to implement real-time active monitoring, detection and defense in the cloud. According to the published researches, DPI (deep packet inspection) is the most effective technology to realize active inspection and defense. However, most recent works of DPI aim at space reduction but could not meet the demands of high speed and stability in the cloud. So, it is important to improve regular methods of DPI, making it more suitable for cloud computing. In this paper, an asynchronous parallel finite automaton named APFA is proposed, by introducing the asynchronous parallelization and the heuristically forecast mechanism, which significantly decreases the time consumed in matching while still keeps reducing the memory required. What is more, APFA is immune to the overlapping problem so that the stability is also enhanced. The evaluation results show that APFA achieves higher stability, better performance on time and memory. In short, APFA is more suitable for cloud computing.

Alan Kennedy,Xiaojun Wang,Zhen Liu,Bin Liu

DOI: https://doi.org/10.1109/date.2010.5457172

2010-01-01

Abstract:Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA.

Hao Xu,Harry Chang,Kun Qiu,Yang Hong,Wenjun Zhu,Xiang Wang,Baoqian Li,Jin Zhao

DOI: https://doi.org/10.1109/tnsm.2024.3354985

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Deep Packet Inspection (DPI) has been one of the most significant network security techniques. It is widely used to identify and classify network traffic in various applications such as web application firewall and intrusion detection. Different from traditional packet filtering that only examines packet headers, DPI detects payloads as well by comparing them with an existing signature database. The literal matching engine, which plays a key role in DPI, is the primary determinant of the system performance. FDR, an engine that utilizes 3 SIMD operations to match 1 character with multiple literals, has been developed and is currently one of the fastest literal matching engines. However, FDR has significant performance drop-off when faced with small-scale literal rule sets, whose proportion is more than 90% in modern databases. In this paper, we designed Teddy, an engine that is highly optimized for small-scale literal rule sets. Compared with FDR, Teddy significantly improves the matching efficiency by a novel shift-or matching algorithm that can simultaneously match up to 64 characters with only 15 SIMD operations. We evaluate Teddy with real-world traffic and rule sets. Experimental results show that its performance is up to 43.07x that of Aho-corasick (AC) and 2.17x that of FDR. Teddy has been successfully integrated into Hyperscan, together with which it is widely deployed in modern popular DPI applications such as Snort and Suricata.

computer science, information systems

SONG Tian,LI Dong-Ni,WANG Dong-Sheng,XUE Yi-Bo

DOI: https://doi.org/10.3724/sp.j.1001.2013.04314

2013-01-01

Journal of Software

Abstract:Pattern matching is the main part of content inspection based network security systems, and it is widely used in many other applications. In practice, pattern matching methods for large scale sets with stable performance are in great demand, especially the architecture for online real-time processing. This paper presents a memory efficient pattern matching algorithm and architecture for a large scale set. This paper first proposes cached deterministic finite automata, namely CDFA, in the view of basic theory. By classifying transitions in pattern DFA, a new algorithm, ACC, based on CDFA is addressed. This algorithm can dynamically generate cross transitions and save most of memory resources, so that it can support large scale pattern set. Further, an architecture based on this method is proposed. Experiments on real pattern sets show that the number of transition rules can be reduced 80%~95% than the current most optimized algorithms. At the same time, it can save 40.7% memory space, nearly 2 times memory efficiency. The corresponding architecture in single chip can achieve about 11Gbps matching performance.

Zhe Fu,Zhi Liu,Jun Li

DOI: https://doi.org/10.1109/ICCCN.2017.8038377

2017-01-01

Abstract:Regular expression matching has been widely used in today's network security systems, where the payloads of network packets are matched against a set of rules specified by regular expressions. Due to the increasing number of rules and the complex semantics of regular expressions, state-of-the-art regular expression matching techniques hardly meet the demands of network development. The rapid growth of parallel technology calls for an efficient parallel regular expression matching method. In this paper, we propose ParaRegex, a novel approach for fast parallel regular expression matching with high efficiency and low overhead. ParaRegex is a framework that implements data-parallel regular expression matching for finite automaton based methods. Experimental evaluation shows that ParaRegex produces a high-performance regular expression matching engine with low memory overhead and linear speed-up ratio, and obtains up to 6 times faster processing speed on a commodity multi-core workstation.