Skip to main content
SpringerLink
Log in

mDFA: A Memory Efficient DFA-Based Pattern Matching Engine on FPGA

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Security applications such as network intrusion detection system (NIDS) and virus scanning engine utilize pattern matching as an essential mechanism for detecting harmful activities or malicious codes. The increase of pattern set in size and complexity as well as the high demand of scanning data volume make pattern matching task on general purpose processor more challenging. One solution for this issue is employing reconfigurable device, field programmable gate array (FPGA), to offload this time-consuming task. In this paper, we introduce a memory efficient FPGA-based pattern matching architecture. We utilized Deterministic Finite Automata (DFA) as main pattern matching algorithm and propose modifications (mDFA) to reduce redundant logic. The proposed design, with better memory utilization, is capable of dynamic update and compatible to stateful NIDSs and virus scanners. The analysis of memory efficiency and the hardware implementation of proposed architecture are also presented in this paper. We experiment our approach on contemporary NIDS pattern sets and virus signature database and build a prototype using NetFPGA 1G platform to test on real network environment. The results show that our design could save up to 90 % hardware resources as compared to traditional DFA approach and gain a throughput of 1.9 Gbps. The prototype could achieve 2.7–4.5\(\times \) speed up to software-based matching engine.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Aho, A. V., & Corasick, M. J. (1975). Efficient string matching: An aid to bibliographic search. Communications of the ACM, 18(6), 333–340.

    Article  MathSciNet  MATH  Google Scholar 

  2. Baker, Z. K., & Prasanna V. K. (2005). High-throughput linked-pattern matching for intrusion detection systems. In Symposium on architecture for networking and communications systems, 2005. ANCS 2005 (pp. 193–202).

  3. Boyer, R. S., & Moore, J. S. (1977). A fast string searching algorithm. Communications of the ACM, 20(10), 762–772.

    Article  MATH  Google Scholar 

  4. Clam Antivirus. (2013). Open source antivirus engine.

  5. Chen, H., Chen, Y., & Summerville, D. H. (2011). A survey on the application of fpgas for network infrastructure security. IEEE Communications Surveys & Tutorials, 13(4), 541–561.

    Article  Google Scholar 

  6. Cho, Y. H., Navab, S., & Mangione-smith, W. H. (2002). Specialized hardware for deep network packet filtering. In 12th Conference on field programmable logic and applications (pp. 452–461). Springer, Berlin.

  7. Dharmapurikar, S., Krishnamurthy, P., Sproull, T., & Lockwood, J. (2003). Deep packet inspection using parallel bloom filters. In 11th Symposium on high performance interconnects, 2003. Proceedings (pp. 44–51).

  8. Hieu, T. T., Thinh, T. N., & Tomiyama, S. (2013). Enrem: An efficient nfa-based regular expression matching engine on reconfigurable hardware for nids. Journal of Systems Architecture, 59(4), 202–212.

    Article  Google Scholar 

  9. Hutchings, B. L., Franklin, R., & Carver, D. (2002). Assisting network intrusion detection with reconfigurable hardware. In Proceedings of 10th annual IEEE symposium field-programmable custom computing machines (pp. 111–120).

  10. ISCX. (2012). Unb iscx intrusion detection evaluation dataset.

  11. Netfpga. (2012). Netfpga platform technical specifications.

  12. Sidhu, R., & Prasanna, V. K. (2001). Fast regular expression matching using fpgas. In Proceedings 9th annual IEEE symposium field-programmable custom computing machines (pp. 227–238).

  13. Snort. (2012). Intrusion detection/prevention system.

  14. Sourdis, I. & Pnevmatikatos, D. (2004). Pre-decoded cams for efficient and high-speed nids pattern matching. In 12th Annual IEEE symposium on field-programmable custom computing machines, 2004. FCCM 2004 (pp. 258–267).

  15. Thinh, T. N., Kittitornkun, S., & Tomiyama, S. (2009). Pamela: Pattern matching engine with limited-time update for nids/nips. IEICE Transactions on Information and Systems, E92–D(5), 1049–1061.

    Article  Google Scholar 

  16. Thinh, T. N., Tomiyama, S., Kittitornkun, S., & Vu, T. H. (2012). Tcp reassembly for signature-based network intrusion detection systems. In 9th International conference on electrical engineering/electronics, computer, telecommunications and information technology (ECTI-CON), 2012 (pp. 1–4).

  17. Wu, S., & Manber, U. (1994). A fast algorithm for multi-pattern searching. Technical report.

Download references

Acknowledgments

This research is funded by The Department of Science and Technology in Ho Chi Minh City under grand number 170/2013/H-D-SKHCN.

Author information

Authors and Affiliations

  1. Faculty of Computer Science and Engineering, Ho Chi Minh City’s University of Technology, Ho Chi Minh City, Vietnam

    Tran Trung Hieu & Tran Ngoc Thinh

Authors
  1. Tran Trung Hieu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tran Ngoc Thinh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tran Trung Hieu.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hieu, T.T., Thinh, T.N. mDFA: A Memory Efficient DFA-Based Pattern Matching Engine on FPGA. Wireless Pers Commun 78, 1833–1847 (2014). https://doi.org/10.1007/s11277-014-2047-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-014-2047-x

Keywords

Search

Navigation