Scalable Automaton Matching for High-Speed Deep Content Inspection

String matching plays a central role in content inspection applications such as intrusion detection, anti-virus, anti-spam and Web filtering. Because they are computation and memory intensive, software matching algorithms are insufficient in meeting the high-speed performance. Thus, off loading packet content inspection to dedicated hardware seems inevitable. This paper presents a scalable automaton matching (SAM) design, which uses Aho-Corasick (AC) algorithm with two parallel acceleration techniques, root-indexing and pre-hashing. The root-indexing can match multiple bytes in one single matching, and the pre-hashing can be used to avoid bitmap AC matching, which is a cycle-consuming operation. In the implementation of the Xilinx Vertex4P FPGA platform, the proposed hardware architecture can achieve almost 10.7 Gbps and support the largest pattern set, which is 7.65 times faster than the original bitmap AC in the average case. Further, SAM is feasible for either internal or external memory architecture. The internal memory architecture provides high performance, and the external memory architecture provides high scalability of patterns.

[1]  John A. Chandy,et al.  A keyword match processor architecture using content addressable memory , 2004, GLSVLSI '04.

[2]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[3]  Timothy Sherwood,et al.  A high throughput string matching architecture for intrusion detection and prevention , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[4]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[5]  Gonzalo Navarro,et al.  A guided tour to approximate string matching , 2001, CSUR.

[6]  Paul D. Franzon,et al.  Configurable string matching hardware for speeding up intrusion detection , 2005, CARN.

[7]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[8]  T. G. Noll,et al.  A programmable processor for approximate string matching with high throughput rate , 2000, Proceedings IEEE International Conference on Application-Specific Systems, Architectures, and Processors.

[9]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[10]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[11]  Gerald Tripp A Finite-State-Machine based string matching system for Intrusion Detection on High-Speed Networks , 2005 .

[12]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[13]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[14]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[15]  Stuart Staniford,et al.  Towards Faster String Matching for Intrusion Detection , 2001 .

[16]  Udi Manber,et al.  Fast text searching: allowing errors , 1992, CACM.

[17]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[18]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[19]  C.J. Coit,et al.  Towards faster string matching for intrusion detection or exceeding the speed of Snort , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[20]  N. S. Desai Increasing Performance in High Speed NIDS , 2002 .

[21]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[22]  Steve Poole,et al.  Granidt: Towards Gigabit Rate Network Intrusion Detection Technology , 2002, FPL.

[23]  K. M. George,et al.  Parallel string matching algorithms based on dataflow , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.