Abstract
With their expressiveness and simplicity, Perl compatible regular expressions (PCREs) have been adopted in mainstream signature based network intrusion detection systems (NIDSs) to describe known attack signatures, especially for polymorphic worms. NIDSs rely on an underlying string matching engine that simulates PCREs to inspect each network packet. PCRE is a superset of traditional regular expressions, and provides advanced features. However, this pattern matching becomes a performance bottleneck of software-based NIDSs, causing a big portion of their execution time to be dedicated to payload inspection, which results in an unacceptable packet drop rate. The penetration of these unexamined packets creates a security hole in such systems. Over the past decade, hardware acceleration for the pattern matching has been studied extensively and a marginal performance has been achieved. Among hardware approaches, FPGA-based acceleration engines provide great flexibility because new signatures can be compiled and programmed into their reconfigurable architecture. As more and more malicious signatures are discovered, it becomes harder to map a complete set of malicious signatures specified in PCREs to an FPGA chip. One of the space consuming components is the counter used in the constrained repetitions for PCREs. Therefore, we propose a space efficient SelectRAM counter for PCREs that use counting. The design takes advantage of the basic components contained in a configurable logic block, and thus optimizes space usage. A set of basic PCRE blocks has been built in hardware to implement PCREs. Experimental results show that the proposed scheme outperforms existing designs by at least fivefold.
- Aho, A., Sethi, R., and Ullman, J. 1988. Compilers - Principles, Techniques, and Tools, Addison-Wesley, 117--123. Google Scholar
Digital Library
- Aho, A. V. and Corasick, M. J. 1975. Efficient string matching: an aid to bibiliographic search. Comm. ACM 18, 6. Google Scholar
Digital Library
- Baker, Z., Prasanna, V., and Jung, H.-J. 2006. Regular expression software deceleration for intrusion detection systems. In Proceedings of the 16th International Conference on Field Programmable Logic and Applications. 1--8.Google Scholar
- Bispo, J., Sourdis, I., Cardoso, J., and Vassiliadis, S. 2006. Regular expression matching for reconfigurable packet inspection. In Proceedings of the 16th International Conference on Field Programmable Logic and Applications (FPL’06). 119--126.Google Scholar
- Bispo, J., Sourdis, I., Cardoso, J., and Vassiliadis, S. 2007. Synthesis of regular expressions targeting FPGAs: current status and open issues. In Proceedings of the Reconfigurable Computing: Architectures, Tools, and Applicatins. 179--190. Google Scholar
Digital Library
- Boyer, R. and Moore, S. 1977. A fast string searching algorithm. Comm. ACM 20, 762--772. Google Scholar
Digital Library
- Bro. 2008. Intrusion detection system. http://www.bro-ids.org.Google Scholar
- Brodie, B., Taylor, D., and Cytron, R. 2006. A scalable architecture for high-throughput regular-expression pattern matching. In Proceedings of the 33rd International Symposium on Computer Architecture (ISCA’06). 191--202. Google Scholar
Digital Library
- Cho, Y. H., Navab, S., and Mangione-Smith, W. H. 2002. Specialized hardware for deep network packet filtering. In Proceedings of the 12th International Conference on Field Programmable Logic and Applications (FPL’02). Google Scholar
Digital Library
- Clark, C. and Schimmel, D. 2004. Scalable parallel pattern-matching on high-speed networks. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines. Google Scholar
Digital Library
- Floyd, R. and Ullman, J. 1982. The compilation of regular expressions into integrated circuits. J. ACM 29, 603--622. Google Scholar
Digital Library
- Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., and Hogsett, V. 2002. Granidt: Towards gigabit rate network intrusion detection technology. In Proceedings of the 12th International Conference on Field Programmable Logic and Applications (FPL’02). Google Scholar
Digital Library
- Hutchings, B. L., Franklin, R., and Carver, D. 2002. Assisting network intrusion detection with reconfigurable hardware. In Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM’02). 111--120. Google Scholar
Digital Library
- Lin, C.-H., Huang, C.-T., Jiang, C.-P., and Chang, S.-C. 2006. Optimization of regular expression pattern matching circuits on FPGA. In Proceedings of the Conference on Design, Automation, and Test in Europe (DATE’06). 12--17. Google Scholar
Digital Library
- Lo, C.-T. D., Tai, Y.-G., and Psarris, K. 2008. Hardware implementation for network intrusion detection rules with regular expression support. In Proceedings of the 23rd Annual ACM Symposium on Applied Computing. Google Scholar
Digital Library
- Lo, C.-T. D., Tai, Y.-G., Psarris, K., and Hwang, W.-J. 2006. Super fast hardware string matching. In Proceedings of the IEEE International Conference on Field Programmable Technology.Google Scholar
- McNaughton, R. and Yamada, H. 1960. Regular expressions and state graphs for automata. IEEE Trans. Electron. Comput. 9, 39--47.Google Scholar
Cross Ref
- Moscola, J., Lockwood, J., Loui, R., and Pachos, M. 2003. Implementation of a content-scanning module for an internet firwall. In Proceedings of the IEEE Workshop on FPGAs for Custom Computing Machines. 31--38. Google Scholar
Digital Library
- PCRE. 2008. Perl compatible regular expressions. http://www.pcre.org.Google Scholar
- Sidhu, R. and Prasanna, V. K. 2001. Fast regular expression matching using FPGAs. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines. 227--238. Google Scholar
Digital Library
- Snort. 2008. Snort intrusion detection system. http://snort.org.Google Scholar
- Sourdis, I., Pnevmatikatos, D., and Vassiliadis, S. 2008. Scalable multi-gigabit pattern matching for packet inspection. In IEEE Trans. Integr. VLSI Syst. (Special Section on Configurable Computing Design---XII: Hardware Level Reconfiguration) 16, 156--166. Google Scholar
Digital Library
- Sourdis, I. and Pnevmatikatos, D. N. 2004. Predecoded cams for efficient and high-speed NIDs pattern matching. In Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines. 258--267. Google Scholar
Digital Library
- Sutton, P. 2004. Partial character decoding for improved regular expression matching in FPGAs. In Proceedings of the IEEE International Conference on Field-Programmable Technology (FPT). 25--32.Google Scholar
Cross Ref
- Xilinx, I. 2008. Xilkernel documents. http://www.xilinx.com/ise/embedded/edk91i_docs/xilkernel_v3_00_a.pdf.Google Scholar
- Yusuf, S., Luk, W., Szeto, M. K. N., and Osborne, W. 2006. Unite: Uniform hardware-based network intrusion detection engine. In Proceedings of the Reconfigurable Computing: Architectures and Applications. 389--400.Google Scholar
Index Terms
Space Optimization on Counters for FPGA-Based Perl Compatible Regular Expressions
Recommendations
Highly Space Efficient Counters for Perl Compatible Regular Expressions in FPGAs
ARC '08: Proceedings of the 4th international workshop on Reconfigurable Computing: Architectures, Tools and ApplicationsSignature based network intrusion detection systems (NIDS) rely on an underlying string matching engine that inspects each network packet against a known malicious pattern database. Traditional static pattern descriptions may not efficiently represent ...
High-Performance and Compact Architecture for Regular Expression Matching on FPGA
We present the design, implementation and evaluation of a high-performance architecture for regular expression matching (REM) on field-programmable gate array (FPGA). Each regular expression (regex) is first parsed into a concise token list ...
Traffic-Aware Design of a High-Speed FPGA Network Intrusion Detection System
Security of today's networks heavily rely on network intrusion detection systems (NIDSs). The ability to promptly update the supported rule sets and detect new emerging attacks makes field-programmable gate arrays (FPGAs) a very appealing technology. An ...






Comments