Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1145/1882486.1882507

2009-01-01

Abstract:Multiple pattern matching architecture is critical for content inspection based network security applications, especially for high speed network or large pattern sets. This paper presents a method to optimize the potential memory usage for multiple string or regular expression matching by the idea of combining DFA's paths, named isomorphic path combination (IMPC). To achieve IMPC, a novel multiple pattern matching algorithm is proposed, which is based on Cached DFA (CDFA). Compared to extended AC algorithm based on DFA, our method on CDFA can reduce 78.6% states for Snort pattern set, which results in one of the most memory efficient methods. More important is that our method can be embedded to other algorithms as the optimization.

Yi-fan HE,Guo-yin XU,Hai-bin SHEN

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.01.042

2007-01-01

Abstract:In order to improve the performance of pattern-matching module in NIDS, an efficient engine for multi-gigabit rate, line-speed pattern-matching is proposed after analyzing a large amount of related work. By grouping and evenly storing patterns into CAM or TCAM according to their lengths and amount, as well as using payload-switching technique, this engine not only reaches multi-gigabit rate performance, but also has high storage efficiency. System performance can be improved further by using multiple process modules in parallel. In a 200 MHz Clock implementation, system throughput can reach more than 6 Gbit/s.

SONG Tian,LI Dong-Ni,WANG Dong-Sheng,XUE Yi-Bo

DOI: https://doi.org/10.3724/sp.j.1001.2013.04314

2013-01-01

Journal of Software

Abstract:Pattern matching is the main part of content inspection based network security systems, and it is widely used in many other applications. In practice, pattern matching methods for large scale sets with stable performance are in great demand, especially the architecture for online real-time processing. This paper presents a memory efficient pattern matching algorithm and architecture for a large scale set. This paper first proposes cached deterministic finite automata, namely CDFA, in the view of basic theory. By classifying transitions in pattern DFA, a new algorithm, ACC, based on CDFA is addressed. This algorithm can dynamically generate cross transitions and save most of memory resources, so that it can support large scale pattern set. Further, an architecture based on this method is proposed. Experiments on real pattern sets show that the number of transition rules can be reduced 80%~95% than the current most optimized algorithms. At the same time, it can save 40.7% memory space, nearly 2 times memory efficiency. The corresponding architecture in single chip can achieve about 11Gbps matching performance.

Junchen Jiang,Xiaofei Wang,Keqiang He,Bin Liu

DOI: https://doi.org/10.1109/icc.2010.5501748

2010-01-01

Abstract:Multi-pattern matching is a key technique for implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against predefined attack signatures written in regular expressions (regexes). To this end, Deterministic Finite Automaton (DFA) is widely used for multi-regex matching, but existing DFAbased researches have claimed high throughput at an expenses of extremely high memory cost. In this paper, we propose a parallel architecture of DFA called Parallel DFA (PDFA), using multiple flow aggregations to increase the throughput with nearly no extra memory cost. The basic idea is to selectively store the DFA in multiple memory modules which can be accessed in parallel and to explore the potential parallelism. The memory cost of our system in both the average cases and the worst cases is analyzed, optimized and evaluated by numerical results. The evaluation shows that we obtain an average speedup of about 0.5k to 0.7k where k is the number of parallel memory modules under our synthetic trace and compressed real trace in a statistical average case, compared with the traditional DFA-based matching approaches.

Hang Lint,Weiwei Lint,Jing Lint,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iscc58397.2023.10218028

2023-01-01

Abstract:Pattern matching is an important technology applied to many security applications. Most network service providers choose to compress network traffic for better transmission, which brings the challenges of compressed traffic matching. However, existing works focus on improving the performance of uncompressed traffic matching or only realize the compressed traffic matching on end-host that can not keep pace with the dramatic increase in traffic. In this paper, we present P4CTM, a proof-of-concept method to conduct efficient compressed traffic matching on the programmable data plane. P4CTM uses the two-stage scan scheme to skip some bytes of compressed traffic, the 2-stride DFA combines with the compression algorithm to condense the state space, and the wildcard match to downsize the match action tables in the programmable data plane. The experiment indicates that P4CTM skips 83.10% bytes of compressed traffic, condenses the state space by order of magnitude, and reduces most of the table entries.

Yi Tang,Junchen Jiang,Xiaofei Wang,Chengchen Hu,Bin Liu,Zhijia Chen

DOI: https://doi.org/10.1587/transinf.E93.D.3232

2010-01-01

IEICE Transactions on Information and Systems

Abstract:Multi pattern matching is a key technique for Implementing network security applications such as Network Intrusion Detection/Protection Systems (NIDS/NIPSes) where every packet is inspected against tens of thousands of predefined attack signatures written in regular expressions (regexes) To this end Deterministic Finite Automaton (DFA) is widely used for multi regex matching but existing DFA based researches have claimed high throughput at an expense of extremely high memory cost so fail to be employed in devices such as high speed routers and em bedded systems where the available memory is quite limited In this paper we propose a parallel architecture of DFA called Parallel DFA (PDFA) taking advantage of the large amount of concurrent flows to increase the throughput with nearly no extra memory cost The basic Idea is to selectively store the underlying DFA in memory modules that can be accessed in parallel To explore its potential parallelism we intensively study DFA split schemes from both state and transition points in this paper The performance of our approach in both the average cases and the worst cases is analyzed optimized and evaluated by numerical results The evaluation shows that we obtain an average speedup of 100 times compared with traditional DFA based matching approach

Junchen Jiang,Yi Tang,Bin Liu,Xiaofei Wang,Yang Xu

DOI: https://doi.org/10.1145/1882486.1882523

2009-01-01

Abstract:ABSTRACTDeterministic Finite Automaton (DFA) is well-known for its constant matching speed in worst case, and widely used in multi-string matching, which is a critical technique in high performance Network Intrusion Detection System (NIDS) design. Existing DFA-based researches achieve high throughput at the expense of extremely high memory cost, so they fail to be used in situations like embedded systems where very tight memory resource is available. In this paper, we propose a memory-efficient multi-string matching acceleration scheme named Synergic Parallel Compact (SPC) Match Engine, which can provide a high matching speedup with no extra memory cost than the traditional DFA. Our scheme can be understood as consisting of k SPC-FAs, each of which can process one character from the input stream, causing achieving a constant speedup factor k with reduced memory occupation. Experimental evaluations with Snort and ClamAV rulesets show that a speedup of 9X can be practically achieved by a single SPC Match Engine instance with a reduced memory size than the up-to-date DFA-based compression approaches.

Yi Tang,Junchen Jiang,Xiaofei Wang,Yi Wang,Bin Liu

DOI: https://doi.org/10.1109/glocom.2010.5683142

2010-01-01

Abstract:Regular expression (Regex) becomes the standard signature language for security and application detection. Deterministic finite automata (DFAs) are widely used to perform regex matching in linear time. Previously researches mostly focus on how to compress DFA to reduce memory requirements in recent years. However, memory requirement is not the only problem caused by DFA explosion when implementation DFA matching system. In this paper, we propose a new issue in DFA matching procedure. We notice that the DFA produced from regex never considers the physical locality of logical neighbor, which results in a low cache hit rate when using cache as matching accelerator. This problem becomes severe for current increasingly complex security regex which producing huge DFA with nearly no locality in physical location. We propose to solve this problem through reordering the state number of existing DFA and further put forward two methods on reordering DFA from different viewpoints. In our algorithms, we achieve more than twice cache hit rate compared with traditional method. Moreover, our methods will not affect the existing matching system. Hence, all the cache hit rate improvement is achieved without any cost in wire speed matching.

Jing Lin,Weiwei Lin,Hang Lin,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1016/j.comnet.2024.110662

IF: 5.493

2024-01-01

Computer Networks

Abstract:Regular expression matching is pivotal in numerous network applications. With the ever-increasing scale of data center traffic, deploying regular expression matching modules on traditional servers struggles to meet throughput demands. Emerging programmable switches have brought new prospects for high-speed pattern matching. However, deploying regular expression matching onto programmable switches presents the challenge of space explosion incurred by compiling regular expressions into a Deterministic Finite Automata (DFA). In this paper, we introduce P4Rex, a regular expression matching system designed for programmable switches. P4Rex synergistically leverages two following techniques: an efficient regular expression grouping algorithm that partitions regular expressions into different groups to reduce memory consumption, and DFA compression technology to achieve transition sharing. Experimental results demonstrate that P4Rex exhibits an average improvement of 17% and maximum improvement of 30% on memory consumption compared to prior regular expression grouping schemes and saves more than 10x memory consumption compared to deploying DFA directly on programmable switch.

Yi Tang,Junchen Jiang,Bin Liu

DOI: https://doi.org/10.1109/INFCOMW.2010.5466687

2010-01-01

Abstract:Multi-string matching is a key technique for network security applications like Network Intrusion Detection Systems (NIDS) and anti-virus scanners. %, where every packet is inspected against thousands of predefined signatures in real time. Existing DFA-based approaches always tradeoff between memory and throughput, no known approach has the best of both worlds. Hence, they fail to be used in the embedded systems like high speed routers where only limited on-chip resources are available. This post proposes a multi-step string matching acceleration scheme named step Finite Automata (Step-FA). Different from classical string matching approaches, we suppose to match an additional structural characteristic named as the distance of certain characters in Step-FA rather than the pure explicit characters themselves. As Step-FA does not follow each-byte-one-memory-access manner in the classical DFA, a high speedup can be achieved meanwhile the memory requirement decreased sharply. The Step-DFA gives the trade-off between accurate and approximate matching. For the purpose of guaranteeing he equivalence between the Step-FA and DFA, a verification module is introduced to fast check the already matched results. Experimental evaluations with ClamAV show that a 6 times of speedup can be practically achieved by a single Step-FA Matching System with a 70% reduced memory comparing to the up-to-date DFA-based approaches.

Wei Zhang,Yibo Xue,Dongsheng Wang,Tian Song

DOI: https://doi.org/10.1109/apcsac.2008.4625475

2008-01-01

Abstract:Pattern matching and regular expression matching are all the critical components for content inspection based applications. But current regular expression matching algorithms or architecture cannot provide a perfect solution for whole matching problem. In some real network security applications, exact strings are the biggest part of rule set, and the second part is simple regular expressions (dot-star and AND-logic), and the other complex regular expressions only occupy a very small part. So, we propose a new hardware-based multiple simple regular expression matching architecture, called MSRM, for Dot-Star and AND-logic regular expressions. Firstly, software compiler splits simple regular expressions into exact strings and relations. Multi-string-matching module judges whether strings match and outputs the matched ID. Based on these matched information and pre-generated RAM data, MSRM can judge whether dot-star and AND-logic regular expressions are satisfied easily and quickly. Experiments with random test data and ClamAV rule set show that MSRM can achieve a high throughput of 2.1 and 2.8 Gbps using Virtex2 and Virtex4 devices respectively which is much higher than software algorithms.

Jia Ni,Chuang Lin,Zhen Chen,Peter Ungsunan

DOI: https://doi.org/10.1109/ICPP.2007.7

2007-01-01

Abstract:Deep Packet Inspection (DPI) is a critical function in network security applications such as Firewalls and Intrusion Detection Systems (IDS). Signature based scanners used in DPI apply multi-pattern matching algorithms to check whether the packet payload or flow content contains a specified signature in a signature set. Existing multi-pattern matching algorithms sacrifice memory space to achieve better performance. In this paper a novel fast multi-pattern matching algorithm, the Hash Boyer-Moore (HBM) Algorithm, is presented, which reduces the memory footprint of the heuristic table using a hash function and adds another heuristic table to reduce the false-positive ratio. Analyses and simulations show HBM offers higher speed and lower memory cost than some existing algorithms. The HBM algorithm was implemented on the Intel IXP 2400 Network Processor (NP) platform and experiments show suitable performance results in a Gigabit Ethernet LAN environment.

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Kai Wang,Zhe Fu,Xiaohe Hu,Jun Li

DOI: https://doi.org/10.1016/j.comcom.2014.08.005

IF: 5.047

2014-01-01

Computer Communications

Abstract:Regular expressions (regexes) provide rich expressiveness to specify the signatures of intrusions and are widely used in contemporary network security systems for signature-based intrusion detection. To perform very fast regex matching, deterministic finite automata (DFA) has been the first choice because its time complexity is constant O ( 1 ) . Unfortunately, DFA often suffers the well known state explosion problem and, consequently, tends to require prohibitive memory overhead in practical applications. To address the problem, a wide variety of DFA compression techniques have been proposed; however, few can keep up with the ever increasing network traffic bandwidth and regex set complexity. This paper proposes that the DFA problem is rooted in regexes (rather than in DFA), i.e., semantic overlapping of regexes, and accordingly presents a complete algorithmic solution PaCC (Partition, Compression, and Combination), that can transform the given large-scale set of complex regexes into a compact and fast matching engine using DFA as its core. PaCC fundamentally defuses state explosion for DFA by partitioning complex regexes into overlapping-free segments. By exploiting the massive repetitiveness among the resulting segments, PaCC can further deflate corresponding DFA in terms of the number of states. Moreover, on the basis of the characteristics of these segments, PaCC takes a tailor-made compression approach and reduces over 96% of the state transitions for the corresponding DFA. In the final matching engine, the combination of DFA and a small relation mapping table, built from segments and their syntagmatic relations, respectively, guarantees high performance and semantic equivalence. Experimental evaluation shows that PaCC produces succinct matching engines with memory usage proportional to the size of the real-world Snort and Bro regex sets, with speeds of up to 1.7Gbps per core on a HP Z220 SFF workstation with a 3.40GHz Intel Core i7-3770.

Ransheng Shen,Xianfeng Li,Hui Li

DOI: https://doi.org/10.1007/s11227-014-1109-x

2014-01-01

Abstract:Packet classification is implemented in modern network routers for providing differentiated services based on packet header information. Traditional packet classification only reports a single matched rule with the highest priority for an incoming packet and takes an action accordingly. With the emergence of new Internet applications such as network intrusion detection system, all matched rules need to be reported. This multi-match problem is more challenging and is attracting attentions in recent years. Because of the stringent time budget on classification, architectural solutions using ternary content addressable memory (TCAM) are the preferred choice for backbone network routers. However, despite its advantage on search speed, TCAM is much more expensive than SRAM, and is notorious for its extraordinarily high power consumption. These problems limit the application and scalability of TCAM-based solutions. This paper presents a tree-based multi-match packet classification technique combining the benefits of both TCAMs and SRAMs. The experiments show that the proposed solution achieves significantly more savings on both memory space and power consumption on packet matching compared to existing solutions.

Wei Lin,Yi Tang,Bin Liu,Derek Pao,XiaoFei Wang

DOI: https://doi.org/10.1109/icc.2009.5198833

2009-01-01

Abstract:New applications such as real-time deep packet inspection require high-speed regular expression (regex) matcher, and the number of regexes in pattern store is increasing to several thousands, which requires a memory efficient solution. In this paper, a kind of hardware based compact DFA structure for multiple regexes matching called CPDFA is presented. According to statistics of regexes in Snort and L7-filter rules, transitions from each state to its next states are not evenly distributed. The summation of transitions from each state to its top three most popular next states takes about 90% of all the transitions. Therefore, CPDFA employs an indirect index table to represent transitions to top three most popular next states more efficiently. The remaining transitions which take about 10% of all the transitions are stored in direct transition table or K parallel SRAMs according to the number of remaining transitions from the same state is more than K or not. Simulation shows that CPDFA structure can save about 90% of memory storage comparing with the original DFA structure. By using pipelined architecture in FPGA, CPDFA can advance one character in one memory access cycle.

Xiaofei Wang,Junchen Jiang,Yi Tang,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/icc.2011.5963289

2011-01-01

Abstract:Deep packet inspection (DPI) has become one of the key components of a Network Intrusion Detection System (NIDS) and it compares packet content to a set of rules written in regular expression. The need to keep up with ever-increasing line speed has forced NIDS designers to move to hardware or high-speed memory where memory resources are limited. In this paper, we present LBM, a novel accelerating scheme for regular expression matching which converts the original byte stream into much shorter integer stream and then matches it with a variant of DFA, called StriD2FA. In the instance of LBM that we realize, 10-15 speedup is reasonable while the memory is much smaller than traditional DFA.

Shen Ransheng,Li Xianfeng,Li Hui

DOI: https://doi.org/10.1109/PDCAT.2012.19

2012-01-01

Abstract:Modern network routers provide differentiated services for incoming network packets based on classification, where the packet header is compared against a rule set for matching. Traditional packet classification only reports a single matched rule with the highest priority in case of multiple matched ones. With the emergence of new applications such as network intrusion detection system (NDIS), all matched rules need to be reported. This multi-match problem is more challenging and is getting higher attention in recent years. Because of the stringent time budget on classification, architectural solutions using Ternary Content Addressable Memory (TCAM) attract more attention than software solutions for backbone network routers. However, despite its advantage on search speed, TCAM is much more expensive than SRAM, and is notorious for its extraordinarily high power consumption. These problems limit the application and scalability of TCAM solutions. This paper presents a novel tree-based hybrid TCAM+SRAM solution for the purposes of both TCAM space reduction and power saving. The experiments show that the proposed solution achieves significantly more savings on both memory space and power consumption on packet matching than existing solutions. © 2012 IEEE.

Yang Xu,Zhaobo Liu,Zhuoyuan Zhang,H. Jonathan Chao

DOI: https://doi.org/10.1145/1882486.1882537

2009-01-01

Abstract:ABSTRACTThe emergence of new network applications like network intrusion detection system, packet-level accounting, and load-balancing requires packet classification to report all matched rules, instead of only the best matched rule. Although several schemes have been proposed recently to address the multi-match packet classification problem, most of them require either huge memory or expensive Ternary Content Addressable Memory (TCAM) to store the intermediate data structure, or suffer from steep performance degradation under certain types of classifiers. In this paper, we decompose the operation of multi-match packet classification from the complicated multi-dimensional search to several single-dimensional searches, and present an asynchronous pipeline architecture based on a signature tree structure to combine the intermediate results returned from single-dimensional searches. By spreading edges of the signature tree in multiple hash tables at different stages of the pipeline, the pipeline can achieve a high throughput via the inter-stage parallel access to hash tables. To exploit further intra-stage parallelism, two edge-grouping algorithms are designed to evenly divide the edges associated with each stage into multiple work-conserving hash tables with minimum overhead. Extensive simulation using realistic classifiers and traffic traces shows that the proposed pipeline architecture outperforms HyperCut and B2PC schemes in classification speed by at least one order of magnitude, while with a similar storage requirement. Particularly, with different types of classifiers of 4K rules, the proposed pipeline architecture is able to achieve a throughput between 19.5 Gbps and 91 Gbps.

Mingjiang Ye,Ke Xu,Jianping Wu,Yong Cui

DOI: https://doi.org/10.1109/icoin.2008.4472764

2008-01-01

Abstract:Pattern-matching is often used in network security mechanisms, which detect the predefined signature strings or keywords starting at an arbitrary location in the payload. Such mechanisms require the network to inspect the packet payload at line rates to filter the worms or virus. These signature sets are large and some signature can be as long as more than 2000 byte. This paper propose a high performance and scalable packet pattern-matching architecture. Bloom filter engines are used in front-end for membership query which can achieve high performance, and an lookup table is used in back-end to performance deterministic string-matching. In order to solve the scalability problem in using Bloom filter to detect long pattern, prefix register heap is used to keep the intermediate status. The architecture can achieve gigabytes throughput with large pattern set and long patterns. A great saving in hardware resource also proves that the architecture is very scalable.