Memory-efficient signature matching for ClamAV on FPGA

Signature matching is a crucial task of various security applications such as antiviruses, intrusion detections, and firewalls. The growth in quantity and complexity of signatures made matching task more challenge especially on general purpose processor. In this paper, we proposed an efficient architecture for matching Clam Antivirus (ClamAV) signatures on FPGA. We utilize Bloom filter technique for filtering input data and Bloomier filter technique for one round check suspect data. Our matching engine support up to 256 byte length signature and can handle both basic and regular expression signatures. Compare to previous approaches, our architecture is better memory utilization with 14%-64% less than previous works. Experiences on low-cost Altera Cyclone II show that our system can fit signature set with more than 43K characters size and is capable of 1 gigabit per second throughput.

[1]  Dionisios N. Pnevmatikatos,et al.  Hashing + memory = low cost, exact pattern matching , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[2]  Surin Kittitornkun,et al.  Applying Cuckoo Hashing for FPGA-based Pattern Matching in NIDS/NIPS , 2007, 2007 International Conference on Field-Programmable Technology.

[3]  Surin Kittitornkun,et al.  PAMELA: Pattern Matching Engine with Limited-Time Update for NIDS/NIPS , 2009, IEICE Trans. Inf. Syst..

[4]  Stamatis Vassiliadis,et al.  A reconfigurable perfect-hashing scheme for packet inspection , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[5]  N.D.A. Tuan,et al.  High performance pattern matching using Bloom-Bloomier Filter , 2010, ECTI-CON2010: The 2010 ECTI International Confernce on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology.

[6]  Dionisios N. Pnevmatikatos,et al.  Variable-Length Hashing for Exact Pattern Matching , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[7]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[8]  Fayez Gebali,et al.  Systolic array-based string matching unit for spam blocking , 2005, Fifth International Workshop on System-on-Chip for Real-Time Applications (IWSOC'05).

[9]  Surin Kittitornkun,et al.  Systolic array for string matching in NIDS , 2007 .

[10]  Xin Zhou,et al.  MRSI: A Fast Pattern Matching Algorithm for Anti-virus Applications , 2008, Seventh International Conference on Networking (icn 2008).

[11]  Guy Lemieux,et al.  PERG: A scalable FPGA-based pattern-matching engine with consolidated Bloomier filters , 2008, 2008 International Conference on Field-Programmable Technology.

[12]  Jan van Lunteren,et al.  High-Performance Pattern-Matching for Intrusion Detection , 2006, INFOCOM.

[13]  Ngoc Thinh Tran,et al.  A memory efficient FPGA-based pattern matching engine for stateful NIDS , 2013, 2013 Fifth International Conference on Ubiquitous and Future Networks (ICUFN).

[14]  Srihari Cadambi,et al.  Chisel: A Storage-efficient, Collision-free Hash-based Network Processing Architecture , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[15]  Bernard Chazelle,et al.  The Bloomier filter: an efficient data structure for static support lookup tables , 2004, SODA '04.

[16]  Trung-Hieu Tran,et al.  ENREM: An efficient NFA-based regular expression matching engine on reconfigurable hardware for NIDS , 2013, J. Syst. Archit..