FPGA Based Accelerator for Pattern Matching in YARA Framework

Pattern Matching is an integral part of intrusion detection systems to detect potential threats and is becoming a bottleneck due to the complexity and scale of patterns. YARA is a pattern matching framework which helps in the identification of malicious content by defining complex patterns and signatures. Software implementation on general purpose processors (CPU) do not meet the throughput requirements of core networks. In this paper, we present an FPGA based hardware accelerator to boost the performance of pattern matching in YARA framework. The proposed streaming architecture consists of pattern matching engines organized as two-dimensional stages and pipelines. Each YARA rule is logically mapped to a stage in the architecture resulting in a modular architecture. This permits easy update to the architecture as the rules change. Several optimizations such as multi-character matching and BRAM based character classification are employed to obtain a high performance. We implemented rulesets of sizes varying from 8 to 200 with the total number of patterns from 128 to 6000. Post place-and-route results demonstrate that the proposed design achieves throughput ranging from 12.85 Gbps to 21.8 Gbps. This is an improvement of 8.8× to 14.5× in comparison to the throughput of 1.45 Gbps for a software only implementation on a state of the art multi-core platform. Keywords-Pattern Matching; FPGA; BRAM; Intrusion Detection; Finite State Machine; NFA; YARA

[1]  David French,et al.  Defining malware families based on analyst insights , 2011, 2011 IEEE International Conference on Technologies for Homeland Security (HST).

[2]  Vern Paxson,et al.  The shunt: an FPGA-based accelerator for network intrusion prevention , 2007, FPGA '07.

[3]  Dionisios N. Pnevmatikatos,et al.  Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System , 2003, FPL.

[4]  Haoyu Song,et al.  Efficient packet classification for network intrusion detection using FPGA , 2005, FPGA '05.

[5]  Viktor K. Prasanna,et al.  High-Performance and Compact Architecture for Regular Expression Matching on FPGA , 2012, IEEE Transactions on Computers.

[6]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[7]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[8]  Hwankuk Kim,et al.  The Protection Technology of Script-Based Cyber Attack , 2015 .

[9]  Marcos R. Vieira,et al.  High performance FPGA and GPU complex pattern matching over spatio-temporal streams , 2014, GeoInformatica.

[10]  Qiang Fu,et al.  YALIH, Yet Another Low Interaction Honeyclient , 2014, AISC.

[11]  B. M. Mehtre,et al.  Performance of malware detection tools: A comparison , 2014, 2014 IEEE International Conference on Advanced Communications, Control and Computing Technologies.

[12]  Ki Wook Sohn,et al.  Toward extracting malware features for classification using static and dynamic analysis , 2012, 2012 8th International Conference on Computing and Networking Technology (INC, ICCIS and ICMIC).

[13]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[14]  Viktor K. Prasanna,et al.  A Memory-Efficient and Modular Approach for Large-Scale String Pattern Matching , 2013, IEEE Transactions on Computers.

[15]  Jeffrey D. Ullman,et al.  The compilation of regular expressions into integrated circuits , 1980, 21st Annual Symposium on Foundations of Computer Science (sfcs 1980).

[16]  Stamatis Vassiliadis,et al.  Regular expression matching for reconfigurable packet inspection , 2006, 2006 IEEE International Conference on Field Programmable Technology.

[17]  William H. Mangione-Smith,et al.  Deep packet filter with dedicated logic and read only memories , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[18]  Kuruvilla Varghese,et al.  A Scalable High Throughput Firewall in FPGA , 2008, 2008 16th International Symposium on Field-Programmable Custom Computing Machines.

[19]  Ioannis Papaefstathiou,et al.  A Memory-Efficient FPGA-based Classification Engine , 2008, 2008 16th International Symposium on Field-Programmable Custom Computing Machines.

[20]  Viktor K. Prasanna,et al.  Compact architecture for high-throughput regular expression matching on FPGA , 2008, ANCS '08.