Optimized memory based accelerator for scalable pattern matching

One of the most promising techniques to detect and thwart a network attack in a network intrusion detection system is to compare each incoming packet with pre-defined attack patterns. This comparison can be performed by a pattern matching engine which has several key requirements including scalability to line rates of network traffic and easy updating of new attack patterns. Memory-based deterministic finite automata meet these requirements, however their storage requirement will grow exponentially with the number of patterns which makes it impractical for implementation. In this paper, we propose a customized memory-based pattern matching engine, whose storage requirement linearly increases with the number of patterns. The basic idea is to allocate one memory slot for each state instead of each edge of the deterministic finite automaton. To demonstrate this idea, we have developed two customized memory decoders. We evaluate them by comparing with a traditional approach in terms of programmability and resource requirements. We also examine their effectiveness for different optimized deterministic finite automata. Experimental results are presented to demonstrate the validity of our proposed approach.

[1]  Nen-Fu Huang,et al.  A fast string-matching algorithm for network processor-based intrusion detection system , 2004, TECS.

[2]  John A. Chandy,et al.  FPGA based network intrusion detection using content addressable memories , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[3]  John A. Chandy,et al.  FPGA based string matching for network processing applications , 2008, Microprocess. Microsystems.

[4]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[5]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[6]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[7]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[8]  Viktor K. Prasanna,et al.  A methodology for synthesis of efficient intrusion detection systems on FPGAs , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[9]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[10]  Haibo Wang,et al.  Implementing high-speed string matching hardware for network intrusion detection systems , 2008, FPGA '08.

[11]  George Varghese,et al.  Packet classification using multidimensional cutting , 2003, SIGCOMM '03.

[12]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[13]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[14]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[15]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[16]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[17]  Bernhard Plattner,et al.  Scalable high-speed prefix matching , 2001, TOCS.

[18]  Srihari Cadambi,et al.  Memory-Efficient Regular Expression Search Using State Merging , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[19]  George Varghese,et al.  Packet classification for core routers: is there an alternative to CAMs? , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[20]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM 2006.

[21]  Paul D. Franzon,et al.  Configurable string matching hardware for speeding up intrusion detection , 2005, CARN.

[22]  Wolfgang Rosenstiel,et al.  New Algorithms, Architectures and Applications for Reconfigurable Computing , 2005 .

[23]  John W. Lockwood,et al.  Dynamic hardware plugins in an FPGA with partial run-time reconfiguration , 2002, DAC '02.

[24]  Timothy Sherwood,et al.  A High Throughput String Matching Architecture for Intrusion Detection and Prevention , 2005, ISCA 2005.

[25]  Beate Commentz-Walter,et al.  A String Matching Algorithm Fast on the Average , 1979, ICALP.

[26]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[27]  Somesh Jha,et al.  XFA: Faster Signature Matching with Extended Automata , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[28]  William H. Mangione-Smith,et al.  Deep packet filter with dedicated logic and read only memories , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[29]  Jan van Lunteren,et al.  High-Performance Pattern-Matching for Intrusion Detection , 2006, INFOCOM.

[30]  George Varghese,et al.  Network Algorithmics-An Interdisciplinary Approach to Designing Fast Networked Devices , 2004 .

[31]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[32]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[33]  Patrick Crowley,et al.  An improved algorithm to accelerate regular expression evaluation , 2007, ANCS '07.