Module-Based Finite Automata: A Scalable and Memory-Efficient Architecture for Multi-pattern Matching in Deep Packet Inspection

Multi-pattern matching is a critical technique for building high performance Network Intrusion Detection Systems (NIDS) and Deep Packet Inspection System (DPIS). Given a set of signature database, multi-pattern matching compares packet against patterns to detect the known attacks. Deterministic Finite Automaton (DFA) is widely used for multi-pattern matching in NIDS for its constant matching speed even in the worst case. Existing DFA-based works have claimed to achieve a high speed throughput at expenses of extremely high memory cost and logic complexity, so it fails to meet the memory space requirements of embedded system or high performance routers. In this paper, we propose a novel a memory-efficient multi-pattern matching acceleration scheme called Module-based Finite Automata (MB-FA) which could achieve a great acceleration with little memory duplication. The basic idea of MB-FA is to store the original DFA in independent modules with a delicate algorithm so that inter-flow parallelism can be exploited to its largest scale. A full systematic design of MB-FA is presented, and support for rule update is also introduced. Evaluation experiments show that without any optimization, MB-FA can achieve an average speed-up of 20 times when the memory cost is almost the twice of original DFA.

[1]  Bin Liu,et al.  A Memory-Efficient Parallel String Matching Architecture for High-Speed Intrusion Detection , 2006, IEEE Journal on Selected Areas in Communications.

[2]  C.J. Coit,et al.  Towards faster string matching for intrusion detection or exceeding the speed of Snort , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[3]  John W. Lockwood,et al.  Fast and Scalable Pattern Matching for Network Intrusion Detection Systems , 2006, IEEE Journal on Selected Areas in Communications.

[4]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[5]  Jan van Lunteren,et al.  High-Performance Pattern-Matching for Intrusion Detection , 2006, INFOCOM.

[6]  Nen-Fu Huang,et al.  A fast string-matching algorithm for network processor-based intrusion detection system , 2004, TECS.

[7]  George Varghese,et al.  Fast Content-Based Packet Handling for Intrusion Detection , 2001 .

[8]  Gonzalo Navarro,et al.  Flexible Pattern Matching in Strings: Practical On-Line Search Algorithms for Texts and Biological Sequences , 2002 .

[9]  Evangelos P. Markatos,et al.  : A DOMAIN-SPECIFIC STRING MATCHING ALGORITHM FOR INTRUSION DETECTION , 2003 .

[10]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[11]  Timothy Sherwood,et al.  A High Throughput String Matching Architecture for Intrusion Detection and Prevention , 2005, ISCA 2005.

[12]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[13]  T. V. Lakshman,et al.  Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection , 2009, IEEE INFOCOM 2009.

[14]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[15]  Beate Commentz-Walter,et al.  A String Matching Algorithm Fast on the Average , 1979, ICALP.

[16]  Wei Zhang,et al.  A Memory Efficient Multiple Pattern Matching Architecture for Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.