A fast scalable automaton-matching accelerator for embedded content processors

Home and office network gateways often employ a cost-effective embedded network processor to handle their network services. Such network gateways have received strong demand for applications dealing with intrusion detection, keyword blocking, antivirus and antispam. Accordingly, we were motivated to propose an appropriate fast scalable automaton-matching (FSAM) hardware to accelerate the embedded network processors. Although automaton matching algorithms are robust with deterministic matching time, there is still plenty of room for improving their average-case performance. FSAM employs novel prehash and root-index techniques to accelerate the matching for the nonroot states and the root state, respectively, in automation based hardware. The prehash approach uses some hashing functions to pretest the input substring for the nonroot states while the root-index approach handles multiple bytes in one single matching for the root state. Also, FSAM is applied in a prevalent automaton algorithm, Aho-Corasick (AC), which is often used in many content-filtering applications. When implemented in FPGA, FSAM can perform at the rate of 11.1Gbps with the pattern set of 32,634 bytes, demonstrating that our proposed approach can use a small logic circuit to achieve a competitive performance, although a larger memory is used. Furthermore, the amount of patterns in FSAM is not limited by the amount of internal circuits and memories. If the high-speed external memories are employed, FSAM can support up to 21,302 patterns while maintaining similar high performance.

[1]  Gerald Tripp A Finite-State-Machine based string matching system for Intrusion Detection on High-Speed Networks , 2005 .

[2]  Dionisios N. Pnevmatikatos,et al.  Hashing + memory = low cost, exact pattern matching , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[3]  Raghu Sastry,et al.  CASM: A VLSI Chip for Approximate String Matching , 1995, IEEE Trans. Pattern Anal. Mach. Intell..

[4]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[5]  Udi Manber,et al.  Fast text searching: allowing errors , 1992, CACM.

[6]  T. G. Noll,et al.  A programmable processor for approximate string matching with high throughput rate , 2000, Proceedings IEEE International Conference on Application-Specific Systems, Architectures, and Processors.

[7]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[8]  N. S. Desai Increasing Performance in High Speed NIDS , 2002 .

[9]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[10]  Timothy Sherwood,et al.  A high throughput string matching architecture for intrusion detection and prevention , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[11]  George Varghese,et al.  Fast Content-Based Packet Handling for Intrusion Detection , 2001 .

[12]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[13]  Evangelos P. Markatos,et al.  Piranha: Fast and Memory-Efficient Pattern Matching for Intrusion Detection , 2005, SEC.

[14]  Gonzalo Navarro,et al.  Flexible Pattern Matching in Strings: Practical On-Line Search Algorithms for Texts and Biological Sequences , 2002 .

[15]  William H. Mangione-Smith,et al.  A pattern matching co-processor for network security , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[16]  Dionisios N. Pnevmatikatos,et al.  Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System , 2003, FPL.

[17]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[18]  Christopher R. Clark,et al.  A pattern-matching co-processor for network intrusion detection systems , 2003, Proceedings. 2003 IEEE International Conference on Field-Programmable Technology (FPT) (IEEE Cat. No.03EX798).

[19]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[20]  Timothy Sherwood,et al.  A High Throughput String Matching Architecture for Intrusion Detection and Prevention , 2005, ISCA 2005.

[21]  Paul D. Franzon,et al.  Configurable string matching hardware for speeding up intrusion detection , 2005, CARN.

[22]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[23]  Stuart Staniford,et al.  Towards Faster String Matching for Intrusion Detection , 2001 .

[24]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[25]  K. M. George,et al.  Parallel string matching algorithms based on dataflow , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[26]  Pei Cao,et al.  Hash-AV: fast virus signature scanning by cache-resident filters , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[27]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[28]  Sarang Dharmapurikar,et al.  Implementation results of bloom filters for string matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[29]  Michael Mitzenmacher,et al.  Compressed bloom filters , 2001, PODC '01.

[30]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[31]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[32]  Pei Cao,et al.  Hash-AV: fast virus signature scanning by cache-resident filters , 2005, GLOBECOM.

[33]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[34]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[35]  Steve Poole,et al.  Granidt: Towards Gigabit Rate Network Intrusion Detection Technology , 2002, FPL.

[36]  Stamatis Vassiliadis,et al.  A reconfigurable perfect-hashing scheme for packet inspection , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[37]  John A. Chandy,et al.  A keyword match processor architecture using content addressable memory , 2004, GLSVLSI '04.

[38]  Gonzalo Navarro,et al.  A guided tour to approximate string matching , 2001, CSUR.

[39]  Michiel H. M. Smid,et al.  On the false-positive rate of Bloom filters , 2008, Inf. Process. Lett..