Scalable multi-pipeline architecture for high performance multi-pattern string matching

Multi-pattern string matching remains a major performance bottleneck in network intrusion detection and anti-virus systems for high-speed deep packet inspection (DPI). Although Aho-Corasick deterministic finite automaton (AC-DFA) based solutions produce deterministic throughput and are widely used in today's DPI systems such as Snort [1] and ClamAV [2], the high memory requirement of AC-DFA (due to the large number of state transitions in AC-DFA) inhibits efficient hardware implementation to achieve high performance. Some recent work [3], [4] has shown that the AC-DFA can be reduced to a character trie that contains only the forward transitions by incorporating pipelined processing. But they have limitations in either handling long patterns or extensions to support multi-character input per clock cycle to achieve high throughput. This paper generalizes the problem and proves formally that a linear pipeline with H stages can remove all cross transitions to the top H levels of a AC-DFA. A novel and scalable pipeline architecture for memory-efficient multi-pattern string matching is then presented. The architecture can be easily extended to support multi-character input per clock cycle by mapping a compressed AC-DFA [5] onto multiple pipelines. Simulation using Snort and ClamAV pattern sets shows that a 8-stage pipeline can remove more than 99% of the transitions in the original AC-DFA. The implementation on a state-of-the-art field programmable gate array (FPGA) shows that our architecture can store on a single FPGA device the full set of string patterns from the latest Snort rule set. Our FPGA implementation sustains 10+ Gbps throughput, while consuming a small amount of on-chip logic resources. Also desirable scalability is achieved: the increase in resource requirement of our solution is sub-linear with the throughput improvement.

[1]  T. V. Lakshman,et al.  Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection , 2009, IEEE INFOCOM 2009.

[2]  Pedro C. Diniz,et al.  Matching and searching analysis for parallel hardware implementation on FPGAs , 2001, FPGA '01.

[3]  John W. Lockwood,et al.  Reprogrammable network packet processing on the field programmable port extender (FPX) , 2001, FPGA '01.

[4]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[5]  Young H. Cho,et al.  Deep network packet filter design for reconfigurable devices , 2008, TECS.

[6]  Tsern-Huei Lee,et al.  Using String Matching for Deep Packet Inspection , 2008, Computer.

[7]  Viktor K. Prasanna,et al.  Field-split parallel architecture for high performance multi-match packet classification using FPGAs , 2009, SPAA '09.

[8]  Fabrizio Petrini,et al.  High-speed string searching against large dictionaries on the Cell/B.E. Processor , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[9]  Wei Zhang,et al.  A Memory Efficient Multiple Pattern Matching Architecture for Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[10]  Vijay Kumar,et al.  High Speed Pattern Matching for Network IDS/IPS , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[11]  Sotiris Ioannidis,et al.  Gnort: High Performance Network Intrusion Detection Using Graphics Processors , 2008, RAID.

[12]  Stamatis Vassiliadis,et al.  Scalable Multigigabit Pattern Matching for Packet Inspection , 2008, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[13]  Timothy Sherwood,et al.  A high throughput string matching architecture for intrusion detection and prevention , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[14]  Viktor K. Prasanna,et al.  A computationally efficient engine for flexible intrusion detection , 2005, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[15]  George Varghese,et al.  Deterministic memory-efficient string matching algorithms for intrusion detection , 2004, IEEE INFOCOM 2004.

[16]  Viktor K. Prasanna,et al.  Compact architecture for high-throughput regular expression matching on FPGA , 2008, ANCS '08.

[17]  Aziz Mohaisen,et al.  A Survey on Deep Packet Inspection for Intrusion Detection Systems , 2008, ArXiv.

[18]  Maxime Crochemore,et al.  Sequential Multiple String Matching , 2008, Encyclopedia of Algorithms.

[19]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[20]  Wei Lin,et al.  Pipelined Architecture for Multi-String Matching , 2008, IEEE Computer Architecture Letters.

[21]  Viktor K. Prasanna,et al.  Performance of FPGA implementation of bit-split architecture for intrusion detection systems , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.

[22]  Jan van Lunteren,et al.  High-Performance Pattern-Matching for Intrusion Detection , 2006, INFOCOM.

[23]  Viktor K. Prasanna,et al.  Memory-Efficient Pipelined Architecture for Large-Scale String Matching , 2009, 2009 17th IEEE Symposium on Field Programmable Custom Computing Machines.

[24]  Cheng-Hung Lin,et al.  Optimization of pattern matching algorithm for memory based architecture , 2007, ANCS '07.