An index-split Bloom filter for deep packet inspection

Deep packet inspection (DPI) scans both packet headers and payloads to search for predefined signatures. As link rates and traffic volumes of Internet are constantly growing, DPI is facing the high performance challenge of how to achieve line-speed packet processing with limited embedded memory. The recent trie bitmap content analyzer (TriBiCa) suffers from high update overhead and many false positive memory accesses, while the shared-node fast hash table (SFHT) suffers from high update overhead and large memory requirements. This paper presents an index-split Bloom filter (ISBF) to overcome these issues. Given a set of off-chip items, an index of each item is split apart into several groups of constant bits, and each group of bits uses an array of on-chip parallel counting Bloom filters (CBFs) to represent the overall off-chip items. When an item is queried, several groups of on-chip parallel CBFs constitute an index of an off-chip item candidate for a match. Furthermore, we propose a lazy deletion algorithm and vacant insertion algorithm to reduce the update overhead of ISBF, where an on-chip deletion bitmap is used to update on-chip parallel CBFs, not adjusting other related off-chip items. The ISBF is a time/space-efficient data structure, which not only achieves O(1) average memory accesses of insertion, deletion, and query, but also reduces the memory requirements. Experimental results demonstrate that compared with the TriBiCa and SFHT, the ISBF significantly reduces the off-chip memory accesses and processing time of primitive operations, as well as both the on-chip and off-chip memory sizes.

[1]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[2]  H. Jonathan Chao,et al.  TriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[3]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[4]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[5]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[6]  Bin Liu,et al.  A Memory-Efficient Parallel String Matching Architecture for High-Speed Intrusion Detection , 2006, IEEE Journal on Selected Areas in Communications.

[7]  Haoyu Song,et al.  Fast hash table lookup using extended bloom filter: an aid to network processing , 2005, SIGCOMM '05.

[8]  Rabi N. Mahapatra,et al.  A Memory-Efficient Hashing by Multi-Predicate Bloom Filters for Packet Classification , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[9]  John W. Lockwood,et al.  Rethinking Hardware Support for Network Analysis and Intrusion Prevention , 2006, HotSec.

[10]  Somesh Jha,et al.  Deflating the big bang: fast and scalable deep packet inspection with extended finite automata , 2008, SIGCOMM '08.

[11]  Timothy Sherwood,et al.  Bit-split string-matching engines for intrusion detection and prevention , 2006, TACO.

[12]  T. V. Lakshman,et al.  Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection , 2009, IEEE INFOCOM 2009.

[13]  Andrei Z. Broder,et al.  Using multiple hash functions to improve IP lookups , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[14]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[15]  Srihari Cadambi,et al.  Memory-Efficient Regular Expression Search Using State Merging , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[16]  Anand Rangarajan,et al.  Algorithms for advanced packet classification with ternary CAMs , 2005, SIGCOMM '05.

[17]  Somesh Jha,et al.  XFA: Faster Signature Matching with Extended Automata , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[18]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[19]  Patrick Crowley,et al.  Segmented hash , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[20]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[21]  Jan van Lunteren,et al.  High-Performance Pattern-Matching for Intrusion Detection , 2006, INFOCOM.

[22]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[23]  John W. Lockwood,et al.  Fast and scalable pattern matching for content filtering , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[24]  Wei Zhang,et al.  A Memory Efficient Multiple Pattern Matching Architecture for Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[25]  Michael Mitzenmacher,et al.  Simple Summaries for Hashing With Choices , 2008, IEEE/ACM Transactions on Networking.

[26]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, ISCA 2006.

[27]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[28]  Nan Hua,et al.  Rank-indexed hashing: A compact construction of Bloom filters and variants , 2008, 2008 IEEE International Conference on Network Protocols.

[29]  George Varghese,et al.  Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia , 2007, ANCS '07.

[30]  Patrick Crowley,et al.  Peacock Hashing: Deterministic and Updatable Hashing for High Performance Networking , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[31]  George Varghese,et al.  Beyond bloom filters: from approximate membership checks to approximate state machines , 2006, SIGCOMM.

[32]  Yan Luo,et al.  Efficient memory utilization on network processors for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[33]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[34]  Michael Mitzenmacher,et al.  The Power of One Move: Hashing Schemes for Hardware , 2010, IEEE/ACM Trans. Netw..

[35]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[36]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[37]  Jonathan S. Turner,et al.  Advanced algorithms for fast and scalable deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[38]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[39]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[40]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM 2006.

[41]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.