A few bits are enough - ASIC friendly Regular Expression matching for high speed network security systems

Regular Expression (RegEx) matching is the core operation of various network security devices such as IPSes. Despite much effort, it has remained an unsolved problem to achieve both high speed and low memory requirements.XFA, the state-of-the-art software RegEx matching solution, has two fundamental limitations: (1) XFA construction is hard to automate as it requires manual annotation by human experts, and (2) XFA is hard to implement in ASIC as the program executed upon reaching a state requires much of the complexity of a general purpose CPU. In this paper, we propose HASIC, a History-based Finite Automaton (HFA [11]) based RegEx matching scheme. HASIC can exponentially reduce state explosion by testing, setting, and clearing an auxiliary vector of history bits. Compared with XFA, HASIC advances the state of the art because it can be fully automated and it is ASIC friendly. HASIC only uses three simple bit operations and they are easy to implement in ASIC. We conducted experiments using real-world RegEx sets and various traffic traces. Experimental results show that for packet processing speed, software HFA runs an average of 3.34 times faster than XFA, for automata construction speed HFA is orders of magnitude faster than DFA, and for memory image size HFA is an average of 20 times smaller than DFA.

[1]  Laxmi N. Bhuyan,et al.  Compiling PCRE to FPGA for accelerating SNORT IDS , 2007, ANCS '07.

[2]  Somesh Jha,et al.  XFA: Faster Signature Matching with Extended Automata , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[3]  Somesh Jha,et al.  Deflating the big bang: fast and scalable deep packet inspection with extended finite automata , 2008, SIGCOMM '08.

[4]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[5]  Jan Korenek,et al.  NFA split architecture for fast regular expression matching , 2010, 2010 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[6]  Eric Torng,et al.  Fast Regular Expression Matching Using Small TCAMs for Network Intrusion Detection and Prevention Systems , 2010, USENIX Security Symposium.

[7]  Patrick Crowley,et al.  A hybrid finite automaton for practical deep packet inspection , 2007, CoNEXT '07.

[8]  Liu Yang,et al.  Fast, memory-efficient regular expression matching with NFA-OBDDs , 2011, Comput. Networks.

[9]  Patrick Crowley,et al.  An improved algorithm to accelerate regular expression evaluation , 2007, ANCS '07.

[10]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[11]  Patrick Crowley,et al.  A workload for evaluating deep packet inspection architectures , 2008, 2008 IEEE International Symposium on Workload Characterization.

[12]  Cheng-Hung Lin,et al.  Optimization of Pattern Matching Circuits for Regular Expression on FPGA , 2007, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[13]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM 2006.

[14]  Cheng-Hung Lin,et al.  Optimization of Regular Expression Pattern Matching Circuits on FPGA , 2006, Proceedings of the Design Automation & Test in Europe Conference.

[15]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[16]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[17]  Min Chen,et al.  Chain-Based DFA Deflation for Fast and Scalable Regular Expression Matching Using TCAM , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[18]  Viktor K. Prasanna,et al.  Compact architecture for high-throughput regular expression matching on FPGA , 2008, ANCS '08.

[19]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[20]  George Varghese,et al.  Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia , 2007, ANCS '07.

[21]  Marco D. Santambrogio,et al.  An adaptable FPGA-based System for Regular Expression Matching , 2008, 2008 Design, Automation and Test in Europe.

[22]  Patrick Crowley,et al.  Extending finite automata to efficiently match Perl-compatible regular expressions , 2008, CoNEXT '08.