Cited By
View all- Wang XCronin B(2018)TCP/IP Reassembly in Network Intrusion Detection and Prevention SystemsInternational Journal of Information Security and Privacy10.5555/2854422.28544268:3(63-76)Online publication date: 21-Dec-2018
Ultra-high throughput string matching for deep packet inspection
Authors: 
Alan Kennedy, Xiaojun Wang, Zhen Liu, Bin LiuAuthors Info & Claims
Abstract
Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA.
References
[1]
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. "Inside the slammer worm," in IEEE Security and Privacy, vol. 1, no. 4, Jul-Aug 2003, pp. 33--39.
[2]
D. Moore, C. Shannon, and J. Brown, "Code-Red: A Case Study on The Spread and Victims of an Internet Worm," Proc. of the 2nd ACM Internet Measurement Workshop, ACM Press, 2002, pp. 273--284.
[3]
M. Roesch, "Snort - Lightweight Intrusion Detection for Networks," Proc. of the 13th USENIX conference on System administration, Nov. 07--12, 1999, Seattle, Washington.
[4]
S. Antonatos, K. G. Anagnostakis and E. P. Markatos. "Generating realistic workloads for network intrusion detection systems," SIGSOFT Softw. Eng. Notes 29, 1 (Jan. 2004), 207--215.
[5]
A. V. Aho and M. J. Corasick, " Efficient string matching: an aid to bibliographic search," Commun. ACM 18, 6 Jun. 1975, 333--340.
[6]
D. E. Knuth, J. H. Morris and V. R. Pratt, "Fast pattern matching in strings," SIAM Journal on Computing, vol. 6, no. 2, pp. 323--350, 1977.
[7]
R. S. Boyer and J. S. Moore, "A fast string searching algorithm," Commun. ACM 20, 10 (Oct. 1977), 762--772.
[8]
B. Commentz-Walter, "A string matching algorithm fast on the average," Proc. 6th International Colloquium on Automata, Languages, and Programming, pp. 118 132. (1979).
[9]
J. J. Fan and K. Y. Su, "An efficient algorithm for matching multiple patterns," IEEE Trans. on Knowledge and Data Engineering, vol. 5, no. 2, pp. 339--351, 1993.
[10]
U. Manber and S. Wu, "A fast algorithm for multi-pattern searching," in Tech. Report TR-94-17, CS Dept., University of Arizona, 1994.
[11]
M. Fish and G. Verghese, "Fast content-based packet handling for intrusion detection," in UCSD Technical Report CS2001--0670, 2001.
[12]
M. Crochemore and D. Perrin, "Two-way string-matching," J. ACM 38, 3 (Jul. 1991), 650--674.
[13]
N. Tuck, T. Sherwood, B. Calder, and G. Varghese. "Deterministic memory-efficient string matching algorithms for intrusion detection." In IEEE Infocom, Hong Kong, China, Mar. 2004.
[14]
L. Tan and T. Sherwood 2005. "A High Throughput String Matching Architecture for Intrusion Detection and Prevention," Proc. of the 32nd Annual international Symposium on Computer Architecture (June 2005), 112--122, Washington, DC
[15]
S. Dharmapurikar and J. Lockwood, "Fast and scalable pattern matching for content filtering," Proc. of the 2005 ACM Symposium on Architecture For Networking and Communications Systems (October 2005), 183--192, New York, NY
[16]
J. Sung, S. Kang, Y. Lee, T. Kwon, and B. Kim, "A Multi-gigabit Rate Deep Packet Inspection Algorithm using TCAM," IEEE Globecom, Nov. 2005, 453--457
[17]
M. Alicherry, M. Muthuprasanna, V. Kumar, "High speed matching for network IDS/IPS", IEEE ICNP, pp. 187--196, 2006.
[18]
F. Yu, R. Katz, and T. V. Lakshman. "Gigabit rate packet pattern-matching using TCAM." In IEEE International Conference on Network Protocols, Berlin, Germany, Oct. 2004.
Recommendations
Ultra-High Throughput Low-Power Packet Classification
Packet classification is used by networking equipment to sort packets into flows by comparing their headers to a list of rules, with packets placed in the flow determined by the matched rule. A flow is used to decide a packet's priority and the manner ...
High throughput architecture for packet classification using FPGA
ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications SystemsTo avoid packet classification from being the performance bottleneck in network devices, one-chip solution hardware packet classifier based on HiCuts algorithm is designed and implemented in single chip of FPGA. The compact data structure and the ...
A high throughput parallel architecture for category specific Deep Packet Inspection
MEMOCODE '10: Proceedings of the Eighth ACM/IEEE International Conference on Formal Methods and Models for CodesignThis paper describes a Field Programmable Gate Array hardware based Deep Packet Inspection Engine that uses regular expression matchers to simultaneously categorize and look for malicious signatures in Ethernet packets. This was a submission to the 2010 ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
March 2010
1868 pages
ISBN:9783981080162
- General Chairs:
- Giovanni De Micheli,
- Bashir Al-Hashimi,
- Program Chairs:
- Wolfgang Mueller,
- Enrico Macii
Sponsors
- EDAA: European Design Automation Association
- ECSI
- EDAC: Electronic Design Automation Consortium
- SIGDA: ACM Special Interest Group on Design Automation
- The IEEE Computer Society TTTC
- The IEEE Computer Society DATC
- The Russian Academy of Sciences: The Russian Academy of Sciences
Publisher
European Design and Automation Association
Leuven, Belgium
Publication History
Published: 08 March 2010
Check for updates
Qualifiers
- Research-article
Conference
DATE '10
Sponsor:
- EDAA
- EDAC
- SIGDA
- The Russian Academy of Sciences
Acceptance Rates
Overall Acceptance Rate 518 of 1,794 submissions, 29%
Upcoming Conference
DATE '25
- Sponsor:
- sigda
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 212Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)0
Reflects downloads up to 20 Nov 2024
Other Metrics
Citations
Cited By
View all- Wang XCronin B(2018)TCP/IP Reassembly in Network Intrusion Detection and Prevention SystemsInternational Journal of Information Security and Privacy10.5555/2854422.28544268:3(63-76)Online publication date: 21-Dec-2018
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in