skip to main content
research-article

Space Optimization on Counters for FPGA-Based Perl Compatible Regular Expressions

Published:01 September 2009Publication History
Skip Abstract Section

Abstract

With their expressiveness and simplicity, Perl compatible regular expressions (PCREs) have been adopted in mainstream signature based network intrusion detection systems (NIDSs) to describe known attack signatures, especially for polymorphic worms. NIDSs rely on an underlying string matching engine that simulates PCREs to inspect each network packet. PCRE is a superset of traditional regular expressions, and provides advanced features. However, this pattern matching becomes a performance bottleneck of software-based NIDSs, causing a big portion of their execution time to be dedicated to payload inspection, which results in an unacceptable packet drop rate. The penetration of these unexamined packets creates a security hole in such systems. Over the past decade, hardware acceleration for the pattern matching has been studied extensively and a marginal performance has been achieved. Among hardware approaches, FPGA-based acceleration engines provide great flexibility because new signatures can be compiled and programmed into their reconfigurable architecture. As more and more malicious signatures are discovered, it becomes harder to map a complete set of malicious signatures specified in PCREs to an FPGA chip. One of the space consuming components is the counter used in the constrained repetitions for PCREs. Therefore, we propose a space efficient SelectRAM counter for PCREs that use counting. The design takes advantage of the basic components contained in a configurable logic block, and thus optimizes space usage. A set of basic PCRE blocks has been built in hardware to implement PCREs. Experimental results show that the proposed scheme outperforms existing designs by at least fivefold.

References

  1. Aho, A., Sethi, R., and Ullman, J. 1988. Compilers - Principles, Techniques, and Tools, Addison-Wesley, 117--123. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Aho, A. V. and Corasick, M. J. 1975. Efficient string matching: an aid to bibiliographic search. Comm. ACM 18, 6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Baker, Z., Prasanna, V., and Jung, H.-J. 2006. Regular expression software deceleration for intrusion detection systems. In Proceedings of the 16th International Conference on Field Programmable Logic and Applications. 1--8.Google ScholarGoogle Scholar
  4. Bispo, J., Sourdis, I., Cardoso, J., and Vassiliadis, S. 2006. Regular expression matching for reconfigurable packet inspection. In Proceedings of the 16th International Conference on Field Programmable Logic and Applications (FPL’06). 119--126.Google ScholarGoogle Scholar
  5. Bispo, J., Sourdis, I., Cardoso, J., and Vassiliadis, S. 2007. Synthesis of regular expressions targeting FPGAs: current status and open issues. In Proceedings of the Reconfigurable Computing: Architectures, Tools, and Applicatins. 179--190. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Boyer, R. and Moore, S. 1977. A fast string searching algorithm. Comm. ACM 20, 762--772. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Bro. 2008. Intrusion detection system. http://www.bro-ids.org.Google ScholarGoogle Scholar
  8. Brodie, B., Taylor, D., and Cytron, R. 2006. A scalable architecture for high-throughput regular-expression pattern matching. In Proceedings of the 33rd International Symposium on Computer Architecture (ISCA’06). 191--202. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Cho, Y. H., Navab, S., and Mangione-Smith, W. H. 2002. Specialized hardware for deep network packet filtering. In Proceedings of the 12th International Conference on Field Programmable Logic and Applications (FPL’02). Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Clark, C. and Schimmel, D. 2004. Scalable parallel pattern-matching on high-speed networks. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Floyd, R. and Ullman, J. 1982. The compilation of regular expressions into integrated circuits. J. ACM 29, 603--622. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., and Hogsett, V. 2002. Granidt: Towards gigabit rate network intrusion detection technology. In Proceedings of the 12th International Conference on Field Programmable Logic and Applications (FPL’02). Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Hutchings, B. L., Franklin, R., and Carver, D. 2002. Assisting network intrusion detection with reconfigurable hardware. In Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM’02). 111--120. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Lin, C.-H., Huang, C.-T., Jiang, C.-P., and Chang, S.-C. 2006. Optimization of regular expression pattern matching circuits on FPGA. In Proceedings of the Conference on Design, Automation, and Test in Europe (DATE’06). 12--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Lo, C.-T. D., Tai, Y.-G., and Psarris, K. 2008. Hardware implementation for network intrusion detection rules with regular expression support. In Proceedings of the 23rd Annual ACM Symposium on Applied Computing. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Lo, C.-T. D., Tai, Y.-G., Psarris, K., and Hwang, W.-J. 2006. Super fast hardware string matching. In Proceedings of the IEEE International Conference on Field Programmable Technology.Google ScholarGoogle Scholar
  17. McNaughton, R. and Yamada, H. 1960. Regular expressions and state graphs for automata. IEEE Trans. Electron. Comput. 9, 39--47.Google ScholarGoogle ScholarCross RefCross Ref
  18. Moscola, J., Lockwood, J., Loui, R., and Pachos, M. 2003. Implementation of a content-scanning module for an internet firwall. In Proceedings of the IEEE Workshop on FPGAs for Custom Computing Machines. 31--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. PCRE. 2008. Perl compatible regular expressions. http://www.pcre.org.Google ScholarGoogle Scholar
  20. Sidhu, R. and Prasanna, V. K. 2001. Fast regular expression matching using FPGAs. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines. 227--238. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Snort. 2008. Snort intrusion detection system. http://snort.org.Google ScholarGoogle Scholar
  22. Sourdis, I., Pnevmatikatos, D., and Vassiliadis, S. 2008. Scalable multi-gigabit pattern matching for packet inspection. In IEEE Trans. Integr. VLSI Syst. (Special Section on Configurable Computing Design---XII: Hardware Level Reconfiguration) 16, 156--166. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Sourdis, I. and Pnevmatikatos, D. N. 2004. Predecoded cams for efficient and high-speed NIDs pattern matching. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines. 258--267. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Sutton, P. 2004. Partial character decoding for improved regular expression matching in FPGAs. In Proceedings of the IEEE International Conference on Field-Programmable Technology (FPT). 25--32.Google ScholarGoogle ScholarCross RefCross Ref
  25. Xilinx, I. 2008. Xilkernel documents. http://www.xilinx.com/ise/embedded/edk91i_docs/xilkernel_v3_00_a.pdf.Google ScholarGoogle Scholar
  26. Yusuf, S., Luk, W., Szeto, M. K. N., and Osborne, W. 2006. Unite: Uniform hardware-based network intrusion detection engine. In Proceedings of the Reconfigurable Computing: Architectures and Applications. 389--400.Google ScholarGoogle Scholar

Index Terms

  1. Space Optimization on Counters for FPGA-Based Perl Compatible Regular Expressions

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Reconfigurable Technology and Systems
        ACM Transactions on Reconfigurable Technology and Systems  Volume 2, Issue 4
        September 2009
        134 pages
        ISSN:1936-7406
        EISSN:1936-7414
        DOI:10.1145/1575779
        Issue’s Table of Contents

        Copyright © 2009 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 1 September 2009
        • Accepted: 1 October 2008
        • Revised: 1 September 2008
        • Received: 1 May 2008
        Published in trets Volume 2, Issue 4

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!