skip to main content
research-article

A fast scalable automaton-matching accelerator for embedded content processors

Published:22 April 2009Publication History
Skip Abstract Section

Abstract

Home and office network gateways often employ a cost-effective embedded network processor to handle their network services. Such network gateways have received strong demand for applications dealing with intrusion detection, keyword blocking, antivirus and antispam. Accordingly, we were motivated to propose an appropriate fast scalable automaton-matching (FSAM) hardware to accelerate the embedded network processors. Although automaton matching algorithms are robust with deterministic matching time, there is still plenty of room for improving their average-case performance. FSAM employs novel prehash and root-index techniques to accelerate the matching for the nonroot states and the root state, respectively, in automation based hardware. The prehash approach uses some hashing functions to pretest the input substring for the nonroot states while the root-index approach handles multiple bytes in one single matching for the root state. Also, FSAM is applied in a prevalent automaton algorithm, Aho-Corasick (AC), which is often used in many content-filtering applications. When implemented in FPGA, FSAM can perform at the rate of 11.1Gbps with the pattern set of 32,634 bytes, demonstrating that our proposed approach can use a small logic circuit to achieve a competitive performance, although a larger memory is used. Furthermore, the amount of patterns in FSAM is not limited by the amount of internal circuits and memories. If the high-speed external memories are employed, FSAM can support up to 21,302 patterns while maintaining similar high performance.

References

  1. Aho, A. V. and Corasick, M. J. 1975. Efficient string matching: an aid to bibliographic search. Comm. ACM, 333--340. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Aldwairi, M., Conte, T. and Franzon, P. 2005. Configurable string matching hardware for speeding up intrusion detection. ACM SIGARCH Comput. Archit. News. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Antonatos S., Polychronakis M., Akritidis P., Anagnostakis K. D., and Markatos E. P. 2005. Piranha: fast and memory-efficient pattern matching for intrusion detection. In Proceedings of the 20th IFIP International Information Security Conference. Springer, Berlin, Germany.Google ScholarGoogle Scholar
  4. Antonatos, S., Anagnostakis K., and Markatos, E. 2004. Generating realistic workloads for network intrusion detection systems. In Proceeding of the ACM Workshop on Software and Performance. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Attig, M., Dharmapurikar, S. and Lockwood, J. 2004. Implementation results of bloom filters for string matching. In Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Baker, Z. K. and Prasanna, V. K. 2004. Time and area efficient pattern matching on FPGAs. In Proceedings of the ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Blüthgen, H. M., Noll, T. and Aachen, R. 2000. A Programmable processor for approximate string matching with high throughput rate. In Proceedings of the IEEE International Conference on Application-Specific Systems, Architectures, and Processors. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Bose, P., Guo, H., Kranakis, E., Maheshwari, A., Morin, P., Morrison, J., Smid, M., and Tang, Y. 2005. On the false-positive rate of bloom filters. http://cg.scs.carleton.ca/~morin/publications/ds/bloom-submitted.pdf.Google ScholarGoogle Scholar
  9. Boyer, R. S., and Moore, J. S. 1977. A fast string searching algorithm. Comm. ACM 20, 10, 762--772. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Bu, L. and Chandy, J. A. 2001. A keyword match processor architecture using content addressable memory. In Proceedings of the 14th ACM Great Lakes symposium on VLSI. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Cho, Y. H. and Mangione-Smith, W. H. 2005. A pattern matching coprocessor for network security. In Proceedings of the 42nd Annual Conference on Design Automation. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Clam AntiVirus. 2006. Clam Anti-virus. http://www.clamav.net/.Google ScholarGoogle Scholar
  13. Clark, C. R. and Schimmel, D. E. 2003. Efficient reconfigurable logic circuits for matching complex network intrusion detection patterns. Lecture Notes in Computer Science, vol. 2778.Google ScholarGoogle Scholar
  14. Clark, C. R. and Schimmel, D. E. 2004. A pattern-matching co-processor for network intrusion detection systems. In Proceedings of the IEEE International Conference on Field-Programmable Technology (FPT ‘03). IEEE, Los Alamitos, CA.Google ScholarGoogle Scholar
  15. Clark, C. R. and Schimmel, D. E. 2004. Scalable pattern matching for high speed networks. In Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'04). IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Coit, C., Staniford, S., and McAlerney, J. 2002. Towards faster string matching for intrusion detection. In Proceedings of the DARPA Information Survivability Conference and Exhibition. ACM, New York, 367--373.Google ScholarGoogle Scholar
  17. Dans Guardian. 2006. DansGuardian content filter. http://dansguardian.org.Google ScholarGoogle Scholar
  18. Desai, N. 2002. Increasing performance in high speed NIDS. http://www.snort.org/docs/Increasing_Performance_in_High_Speed_NIDS.pdf.Google ScholarGoogle Scholar
  19. Dharmapurikar, S. and Krishnamurthy, P., Sproull, T. S., and Lockwood, J. W. 2004. Deep packet inspection using parallel bloom filters. IEEE Micro 24, 1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Erdogan, O. and Cao, P. 2006. Hash-AV: fast virus signature scanning by cache-resident filters. http://crypto.stanford.edu/~cao/hash-av.html.Google ScholarGoogle Scholar
  21. Franklin, R., Carver, D. and Hutchings, B. L. 2002. Assisting network intrusion detection with reconfigurable hardware. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., and Hogsett, V. 2002. Granidt: towards gigabit rate network intrusion detection technology. Lecture Notes in Computer Science, vol. 2438. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Lockwood, J. 2001. An open platform for development of network processing modules in reconfigurable hardware. In Proceedings of the International Engineering Consortium Design Conference.Google ScholarGoogle Scholar
  24. Mike, F. and George, V. 2001. Fast Content-Based. Packet Handling for Intrusion Detection. Tech. rep. CS2001-0670, University of California, San Diego. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Mitzenmacher, M. 2005. Compressed bloom filters. IEEE/ACM Trans. Netw. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Moscola, J., Lockwood, J., Loui, R. P., and Pachos, M. 2003. Implementation of a content-scanning module for an internet firewall. In Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Navarro, G. 2001. A guided tour to approximate string matching. ACM Comput. Surv. 33, 31--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Navarro, G. and Ranot, M. 2002. Flexible Pattern Matching in Strings. Cambridge University Press, Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Papadopoulos, G. and Pnevmatikatos, D. 2005. Hashing + memory = low cost, exact pattern matching. In Proceedings of the International Conference on Field Programmable Logic and Applications. Springer, Berlin, Germany.Google ScholarGoogle Scholar
  30. Park, J. H. and George, K. M. Parallel string matching algorithms based on dataflow. In Proceedings of the 32nd Annual Hawaii International Conference on System Sciences. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Raffinot, M. 1997. On the multi backward dawg matching algorithm (MultiBDM). In Proceedings of the 4th South American Workshop on String Processing.Google ScholarGoogle Scholar
  32. Sastry, R., Ranganathan, N. and Remedios, K. 1995. CASM: a VLSI chip for approximate string matching. IEEE Trans. Pattern Anal. Mach. Intell. 17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Sidhu, R. and Prasanna, V. 2001. Fast regular expression matching using FPGAs. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01). IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Snort. 2006. Snort: The Open Source Network Intrusion Detection System. http://www.snort.org.Google ScholarGoogle Scholar
  35. Sourdis, I. and Pnevmatikatos, D. 2003. Fast, large-scale string match for a 10Gbps FPGA-based network intrusion detection system. Lecture Notes in Computer Science, vol. 2778.Google ScholarGoogle Scholar
  36. Sourdis, I. and Pnevmatikatos, D. 2004. Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'04). IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Sourdis, I., Pnevmatikatos, D., Wong, S. and Vassiliadis, S. 2005. A reconfigurable perfect-hashing scheme for packet inspection. In Proceedings of the International Conference on Field Programmable Logic and Applications. Springer, Berlin, Germany.Google ScholarGoogle Scholar
  38. SpamAssassin. 2006. The Apache SpamAssassin Project. http://spamassassin.apache.org/Google ScholarGoogle Scholar
  39. SquidGuard. 2006. SquidGuard filter. http://www.squidguard.org/.Google ScholarGoogle Scholar
  40. Tan, L. and Sherwood, T. 2005. A high throughput string matching architecture for intrusion detection and prevention. In Proceedings of the 32nd Annual International Symposium on Computer Architecture (ISCA'05). ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Tripp, G. 2005. A finite-state-machine based string matching system for intrusion detection on high-speed network. In Proceedings of the EICAR Conference. IEEE, Los Alamitos, CA, 26--40.Google ScholarGoogle Scholar
  42. Tuck, N., Sherwood, T., Calder, B. and Varghese, G. 2004. Deterministic memory-efficient string matching algorithms for intrusion detection. In Proceedings of the IEEE INFOCOM Conference. IEEE, Los Alamitos, CA.Google ScholarGoogle Scholar
  43. Wu, S. and Manber, U. 1992. Fast text searching allowing errors. Comm. ACM 35, 83--91. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A fast scalable automaton-matching accelerator for embedded content processors

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!