Abstract
Home and office network gateways often employ a cost-effective embedded network processor to handle their network services. Such network gateways have received strong demand for applications dealing with intrusion detection, keyword blocking, antivirus and antispam. Accordingly, we were motivated to propose an appropriate fast scalable automaton-matching (FSAM) hardware to accelerate the embedded network processors. Although automaton matching algorithms are robust with deterministic matching time, there is still plenty of room for improving their average-case performance. FSAM employs novel prehash and root-index techniques to accelerate the matching for the nonroot states and the root state, respectively, in automation based hardware. The prehash approach uses some hashing functions to pretest the input substring for the nonroot states while the root-index approach handles multiple bytes in one single matching for the root state. Also, FSAM is applied in a prevalent automaton algorithm, Aho-Corasick (AC), which is often used in many content-filtering applications. When implemented in FPGA, FSAM can perform at the rate of 11.1Gbps with the pattern set of 32,634 bytes, demonstrating that our proposed approach can use a small logic circuit to achieve a competitive performance, although a larger memory is used. Furthermore, the amount of patterns in FSAM is not limited by the amount of internal circuits and memories. If the high-speed external memories are employed, FSAM can support up to 21,302 patterns while maintaining similar high performance.
- Aho, A. V. and Corasick, M. J. 1975. Efficient string matching: an aid to bibliographic search. Comm. ACM, 333--340. Google Scholar
Digital Library
- Aldwairi, M., Conte, T. and Franzon, P. 2005. Configurable string matching hardware for speeding up intrusion detection. ACM SIGARCH Comput. Archit. News. Google Scholar
Digital Library
- Antonatos S., Polychronakis M., Akritidis P., Anagnostakis K. D., and Markatos E. P. 2005. Piranha: fast and memory-efficient pattern matching for intrusion detection. In Proceedings of the 20th IFIP International Information Security Conference. Springer, Berlin, Germany.Google Scholar
- Antonatos, S., Anagnostakis K., and Markatos, E. 2004. Generating realistic workloads for network intrusion detection systems. In Proceeding of the ACM Workshop on Software and Performance. ACM, New York. Google Scholar
Digital Library
- Attig, M., Dharmapurikar, S. and Lockwood, J. 2004. Implementation results of bloom filters for string matching. In Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Baker, Z. K. and Prasanna, V. K. 2004. Time and area efficient pattern matching on FPGAs. In Proceedings of the ACM/SIGDA 12th International Symposium on Field Programmable Gate Arrays. ACM, New York. Google Scholar
Digital Library
- Blüthgen, H. M., Noll, T. and Aachen, R. 2000. A Programmable processor for approximate string matching with high throughput rate. In Proceedings of the IEEE International Conference on Application-Specific Systems, Architectures, and Processors. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Bose, P., Guo, H., Kranakis, E., Maheshwari, A., Morin, P., Morrison, J., Smid, M., and Tang, Y. 2005. On the false-positive rate of bloom filters. http://cg.scs.carleton.ca/~morin/publications/ds/bloom-submitted.pdf.Google Scholar
- Boyer, R. S., and Moore, J. S. 1977. A fast string searching algorithm. Comm. ACM 20, 10, 762--772. Google Scholar
Digital Library
- Bu, L. and Chandy, J. A. 2001. A keyword match processor architecture using content addressable memory. In Proceedings of the 14th ACM Great Lakes symposium on VLSI. ACM, New York. Google Scholar
Digital Library
- Cho, Y. H. and Mangione-Smith, W. H. 2005. A pattern matching coprocessor for network security. In Proceedings of the 42nd Annual Conference on Design Automation. ACM, New York. Google Scholar
Digital Library
- Clam AntiVirus. 2006. Clam Anti-virus. http://www.clamav.net/.Google Scholar
- Clark, C. R. and Schimmel, D. E. 2003. Efficient reconfigurable logic circuits for matching complex network intrusion detection patterns. Lecture Notes in Computer Science, vol. 2778.Google Scholar
- Clark, C. R. and Schimmel, D. E. 2004. A pattern-matching co-processor for network intrusion detection systems. In Proceedings of the IEEE International Conference on Field-Programmable Technology (FPT ‘03). IEEE, Los Alamitos, CA.Google Scholar
- Clark, C. R. and Schimmel, D. E. 2004. Scalable pattern matching for high speed networks. In Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'04). IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Coit, C., Staniford, S., and McAlerney, J. 2002. Towards faster string matching for intrusion detection. In Proceedings of the DARPA Information Survivability Conference and Exhibition. ACM, New York, 367--373.Google Scholar
- Dans Guardian. 2006. DansGuardian content filter. http://dansguardian.org.Google Scholar
- Desai, N. 2002. Increasing performance in high speed NIDS. http://www.snort.org/docs/Increasing_Performance_in_High_Speed_NIDS.pdf.Google Scholar
- Dharmapurikar, S. and Krishnamurthy, P., Sproull, T. S., and Lockwood, J. W. 2004. Deep packet inspection using parallel bloom filters. IEEE Micro 24, 1. Google Scholar
Digital Library
- Erdogan, O. and Cao, P. 2006. Hash-AV: fast virus signature scanning by cache-resident filters. http://crypto.stanford.edu/~cao/hash-av.html.Google Scholar
- Franklin, R., Carver, D. and Hutchings, B. L. 2002. Assisting network intrusion detection with reconfigurable hardware. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., and Hogsett, V. 2002. Granidt: towards gigabit rate network intrusion detection technology. Lecture Notes in Computer Science, vol. 2438. Google Scholar
Digital Library
- Lockwood, J. 2001. An open platform for development of network processing modules in reconfigurable hardware. In Proceedings of the International Engineering Consortium Design Conference.Google Scholar
- Mike, F. and George, V. 2001. Fast Content-Based. Packet Handling for Intrusion Detection. Tech. rep. CS2001-0670, University of California, San Diego. Google Scholar
Digital Library
- Mitzenmacher, M. 2005. Compressed bloom filters. IEEE/ACM Trans. Netw. Google Scholar
Digital Library
- Moscola, J., Lockwood, J., Loui, R. P., and Pachos, M. 2003. Implementation of a content-scanning module for an internet firewall. In Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Navarro, G. 2001. A guided tour to approximate string matching. ACM Comput. Surv. 33, 31--88. Google Scholar
Digital Library
- Navarro, G. and Ranot, M. 2002. Flexible Pattern Matching in Strings. Cambridge University Press, Cambridge, MA. Google Scholar
Digital Library
- Papadopoulos, G. and Pnevmatikatos, D. 2005. Hashing + memory = low cost, exact pattern matching. In Proceedings of the International Conference on Field Programmable Logic and Applications. Springer, Berlin, Germany.Google Scholar
- Park, J. H. and George, K. M. Parallel string matching algorithms based on dataflow. In Proceedings of the 32nd Annual Hawaii International Conference on System Sciences. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Raffinot, M. 1997. On the multi backward dawg matching algorithm (MultiBDM). In Proceedings of the 4th South American Workshop on String Processing.Google Scholar
- Sastry, R., Ranganathan, N. and Remedios, K. 1995. CASM: a VLSI chip for approximate string matching. IEEE Trans. Pattern Anal. Mach. Intell. 17. Google Scholar
Digital Library
- Sidhu, R. and Prasanna, V. 2001. Fast regular expression matching using FPGAs. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01). IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Snort. 2006. Snort: The Open Source Network Intrusion Detection System. http://www.snort.org.Google Scholar
- Sourdis, I. and Pnevmatikatos, D. 2003. Fast, large-scale string match for a 10Gbps FPGA-based network intrusion detection system. Lecture Notes in Computer Science, vol. 2778.Google Scholar
- Sourdis, I. and Pnevmatikatos, D. 2004. Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'04). IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Sourdis, I., Pnevmatikatos, D., Wong, S. and Vassiliadis, S. 2005. A reconfigurable perfect-hashing scheme for packet inspection. In Proceedings of the International Conference on Field Programmable Logic and Applications. Springer, Berlin, Germany.Google Scholar
- SpamAssassin. 2006. The Apache SpamAssassin Project. http://spamassassin.apache.org/Google Scholar
- SquidGuard. 2006. SquidGuard filter. http://www.squidguard.org/.Google Scholar
- Tan, L. and Sherwood, T. 2005. A high throughput string matching architecture for intrusion detection and prevention. In Proceedings of the 32nd Annual International Symposium on Computer Architecture (ISCA'05). ACM, New York. Google Scholar
Digital Library
- Tripp, G. 2005. A finite-state-machine based string matching system for intrusion detection on high-speed network. In Proceedings of the EICAR Conference. IEEE, Los Alamitos, CA, 26--40.Google Scholar
- Tuck, N., Sherwood, T., Calder, B. and Varghese, G. 2004. Deterministic memory-efficient string matching algorithms for intrusion detection. In Proceedings of the IEEE INFOCOM Conference. IEEE, Los Alamitos, CA.Google Scholar
- Wu, S. and Manber, U. 1992. Fast text searching allowing errors. Comm. ACM 35, 83--91. Google Scholar
Digital Library
Index Terms
A fast scalable automaton-matching accelerator for embedded content processors
Recommendations
A platform-based SoC design and implementation of scalable automaton matching for deep packet inspection
String matching plays a central role in packet inspection applications such as intrusion detection, anti-virus, anti-spam and Web filtering. Since they are computation and memory intensive, software matching algorithms are insufficient to meet the high-...
A Memory-Efficient and Modular Approach for Large-Scale String Pattern Matching
In Network Intrusion Detection Systems (NIDSs), string pattern matching demands exceptionally high performance to match the content of network traffic against a predefined database (or dictionary) of malicious patterns. Much work has been done in this ...
Scalable Automaton Matching for High-Speed Deep Content Inspection
AINAW '07: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops - Volume 01String matching plays a central role in content inspection applications such as intrusion detection, anti-virus, anti-spam and Web filtering. Because they are computation and memory intensive, software matching algorithms are insufficient in meeting the ...






Comments