Compiling PCRE to FPGA for accelerating SNORT IDS

Deep Payload Inspection systems like SNORT and BRO utilize regular expression for their rules due to their high expressibility and compactness. The SNORT IDS system uses the PCRE Engine for regular expression matching on the payload. The software based PCRE Engine utilizes an NFA engine based on certain opcodes which are determined by the regular expression operators in a rule. Each rule in the SNORT ruleset is translated by PCRE compiler into an unique regular expression engine. Since the software based PCRE engine can match the payload with a single regular expression at a time, and needs to do so for multiple rules in the ruleset, the throughput of the SNORT IDS system dwindles as each packet is processed through a multitude of regular expressions. In this paper we detail our implementation of hardware based regular expression engines for the SNORT IDS by transforming the PCRE opcodes generated by the PCRE compiler from SNORT regular expression rules. Our compiler generates VHDL code corresponding to the opcodes generated for the SNORT regular expression rules. We have tuned our hardware implementation to utilize an NFA based regular expression engine, using greedy quantifiers, in much the same way as the software based PCRE engine. Our system implements a regular expression only once for each new rule in the SNORT ruleset, thus resulting in a fast system that scales well with new updates. We implement two hundred PCRE engines based on a plethora of SNORT IDS rules, and use a Virtex-4 LX200 FPGA, on the SGI RASC RC 100 Blade connected to the SGI ALTIX 4700 supercomputing system as a testbed. We obtain an interface through-put of (12.9 GBits/s) and also a maximum speedup of 353X over software based PCRE execution.

[1]  References , 1971 .

[2]  John W. Lockwood,et al.  Reprogrammable network packet processing on the field programmable port extender (FPX) , 2001, FPGA '01.

[3]  J. Lockwood An Open Platform for Development of Network Processing Modules in Reprogrammable Hardware , 2001 .

[4]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[5]  William H. Mangione-Smith,et al.  Specialized Hardware for Deep Network Packet Filtering , 2002, FPL.

[6]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[7]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[8]  Anurag Tiwari,et al.  Saving power by mapping finite-state machines into embedded memory blocks in FPGAs , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[9]  Viktor K. Prasanna,et al.  A methodology for synthesis of efficient intrusion detection systems on FPGAs , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[10]  Timothy Sherwood,et al.  A High Throughput String Matching Architecture for Intrusion Detection and Prevention , 2005, ISCA 2005.

[11]  Timothy Sherwood,et al.  A high throughput string matching architecture for intrusion detection and prevention , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[12]  Dhabaleswar K. Panda,et al.  Performance characterization of a 10-Gigabit Ethernet TOE , 2005, 13th Symposium on High Performance Interconnects (HOTI'05).

[13]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[14]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM.

[15]  Cheng-Hung Lin,et al.  Optimization of Regular Expression Pattern Matching Circuits on FPGA , 2006, Proceedings of the Design Automation & Test in Europe Conference.

[16]  Walid A. Najjar,et al.  Automatic Compilation Framework for Bloom Filter Based Intrusion Detection , 2006, ARC.

[17]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, ISCA 2006.

[18]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[19]  Stamatis Vassiliadis,et al.  Synthesis of Regular Expressions Targeting FPGAs: Current Status and Open Issues , 2007, ARC.

[20]  Stamatis Vassiliadis,et al.  Regular Expression Matching in Reconfigurable Hardware , 2008, J. Signal Process. Syst..