Abstract
State-of-the-art Network Intrusion Detection Systems (NIDSs) use regular expressions (REs) to detect attacks or vulnerabilities. In order to keep up with the ever-increasing speed, more and more NIDSs need to be implemented by dedicated hardware. A major bottleneck is that NIDSs scan incoming packets just byte by byte, which greatly limits their throughput. Besides, huge memory consumption limits it’s practicability. In this paper, we propose an algorithm for regular expression matching that consumes multiple characters per time while maintaining memory efficiency. It includes 3 ideas: (1) top-k state extraction; (2) variable-stride acceleration; (3) DFA compression. We tested our algorithm on several real-life RE rulesets. The experimental results show that it achieves good performance on both memory efficiency and high throughput. It could achieve 14–22x efficiency ratio than the original DFA on Bro and Snort rulesets, and 2–7x efficiency ratio than the original DFA on l7_filter ruleset.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Paper [10] focuses on whether a char is a Leaving Char. However, we focuses on whether a transition is a Leaving transition.
- 2.
4’b110x, 4’b10xx, x denotes 0 or 1.
References
Roesch, M., et al.: Snort: lightweight intrusion detection for networks. In: LISA, vol. 99, no. 1, pp. 229–238 (1999)
Hopcroft, J.E.: Introduction to Automata Theory, Languages, and Computation. Pearson Education, India (1979)
Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. ACM SIGCOMM Comput. Commun. Rev. 36(4), 339–350 (2006)
Li, Y., Luo, X., Shao, X., Wei, D.: MDC-DFA: a multi-dimensional cube deterministic finite automata-based feature matching algorithm. In: 2015 Fifth International Conference on Information and Communication Technology Convergence (ICTC), pp. 1119–1124. IEEE (2015)
Liu, C., Pan, Y., Chen, A., Wu, J.: A DFA with extended characterset for fast deep packet inspection. IEEE Trans. Comput. 63(8), 1925–1937 (2014)
Liu, T., Liu, A.X., Shi, J., Sun, Y., Guo, L.: Towards fast and optimal grouping of regular expressions via DFA size estimation. IEEE/ACM J. Sel. Areas Commun. 32(10), 1797–1809 (2014)
Brodie, B.C., Taylor, D.E., Cytron, R.K.: A scalable architecture for high-throughput regular-expression pattern matching. In: ACM SIGARCH Computer Architecture News, vol. 34, no. 2, pp. 191–202. IEEE Computer Society (2006)
Bando, M., Artan, N.S., Chao, H.J.: Scalable lookahead regular expression detection system for deep packet inspection. IEEE/ACM Trans. Netw. 20(3), 699–714 (2012)
Su, J., Chen, S., Han, B., Xu, C., Wang, X.: A 60GBps DPI prototype based on memory-centric FPGA. In: Proceedings of the 2016 Conference on ACM SIGCOMM 2016 Conference, pp. 627–628. ACM (2016)
Liu, X., Shao, Z., Liu, X., Sum, N.: Fine-grained parallel regular expression matching for deep packet inspection. J. Comput. Res. Dev. 5(51), 1061–1070 (2014)
Jiang, L., Dai, Q., Tang, Q., Tan, J., Fang, B.: A fast regular expression matching engine for NIDS applying prediction scheme. In: 2014 IEEE Symposium on Computers and Communication (ISCC), pp. 1–7. IEEE (2014)
The Bro Network Security Monitor. http://www.bro.org
Levandoski, J., Sommer, E., Strait, M., et al.: Application Layer Packet Classifier for Linux (2008)
DARPA Intrusion Detection Data Sets. https://www.ll.mit.edu/ideval/data/
Tang, Q., Jiang, L., Dai, Q., Su, M., Xie, H., Fang, B.: Rics-DFA: a space and time-efficient signature matching algorithm with reduced input character set. Concur. Comput.: Pract. Exp. (2016)
Luchaup, D., Smith, R., Estan, C., Jha, S.: Speculative parallel pattern matching. IEEE Trans. Inf. Forensics Secur. 54(2), 438–451 (2011)
Acknowledgments
This work is supported by the National Science Foundation of China (NSFC) under grant No. 61402475, and the National Science and Technology Major Project under Grant No. 2017YFB0803003.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Yang, J., Jiang, L., Bai, X., Dai, Q., Su, M., Bhuiyan, M.Z.A. (2017). An FPGA-Based Algorithm to Accelerate Regular Expression Matching. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10658. Springer, Cham. https://doi.org/10.1007/978-3-319-72395-2_39
Download citation
DOI: https://doi.org/10.1007/978-3-319-72395-2_39
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72394-5
Online ISBN: 978-3-319-72395-2
eBook Packages: Computer ScienceComputer Science (R0)