Abstract
Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention. To keep up with the increasing speed network, this component needs to be accelerated by well designed custom coprocessor. This paper presents a parameterized multilevel pattern matching architecture (MPM) which is used on FPGAs. To achieve less chip area, the architecture is designed based on the idea of selected character decoding (SCD) and multilevel method which are analyzed in detail. This paper also proposes an MPM generator that can generate RTL-level codes of MPM by giving a pattern set and predefined parameters. With the generator, the efficient MPM architecture can be generated and embedded to a total hardware solution. The third contribution is a mathematical model and formula to estimate the chip area for each MPM before it is generated, which is useful for choosing the proper type of FPGAs. One example MPM architecture is implemented by giving 1785 patterns of Snort on Xilinx Virtex 2 Pro FPGA. The results show that this MPM can achieve 4.3 Gbps throughput with 5 stages of pipelines and 0.22 slices per character, about one half chip area of the most area-efficient architecture in literature. Other results are given to show that MPM is also efficient for general random pattern sets. The performance of MPM can be scalable near linearly, potential for more than 100 Gbps throughput.
Similar content being viewed by others
References
Roesch M. Snort-Lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, Seattle, Washington, 1999. 299–238
Fisk M, Varghese G. An analysis of fast string matching applied to content-based forwarding and intrusion detection. Techical Report CS2001-0670, University of California-San Diego, 2002
Aho A, Corasick M. Efficient string matching: An aid to bibliographic search. Commun ACM, 1975, 18(6): 333–343
van Lunteren J. High-performance pattern-matching for intrusion detection. In: Proceedings of the 25th IEEE International Conference on Computer Communications, INFOCOM 2006, Barcelona, Spain, April, 2006. 1–13
Tan L, Sherwood T. A high throughput string matching architecture for intrusion detection and prevention. In: Proceedings of the 32nd Annual International Symposium on Computer Architectare, Madison, Wisconsin, USA, June, 2005. 112–122
Lu H B, Zheng K, Liu B, et al. A memory-efficient parallel string matching architecture for high speed intrusion detection. IEEE J Select Areas Commun, 2006, 24(10): 1793–1804
Baker Z K, Prasanna V K. High-throughput linked-pattern matching for intrusion detection systems. In: Proceedings of the 2005 ACM Symposium on Architecture for Networking and Communications System, Princeton, NJ, USA, Oct. 2005. 193–202
Dharmapurikar S, Krishnamurthy P, Sproull T, et al. Implementation of a Deep Packet Inspection Circuit using Parallel Bloom Filters in Reconfigurable Hardware. Palo Alto, CA, August 20–22, 2003
Sourdis I, Pnevmatikatos D. Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In: Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, FCCM. 2004, Napa, CA, 2004. 258–267
Sourdis I, Pnevmatikatos D. Fast large-scale string matching for a 10 Gbps FPGA-based network intrusion detection system. In: 13th International Conference on Field Programmable Logic and Applications, Lisbon, Portugal, 2003
Clark C R, Schimmel D E. Scalable pattern matching for high speed networks. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa, CA, USA, April 2004
Baker Z K, Prasanna V K. High-throughput linked-pattern matching for intrusion detection systems. In: Proceedings of the 2005 ACMSymposium on Architecture for Networking and Communication Systems, Princeton, NJ, USA, 2005. 193–202
Cho Y H, Mangione-Smith W H. Deep packet filter with dedicated logic and read only memories. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa, USA, April 2004
Sutton P. Partial character decoding for improved regular expression matching in FPGAs. In: Proceedings of the 2004 IEEE International Conference on Field-Programmable Technology, Brisbane, Australia, Dec. 2004. 25–32
Moscola J, Lockwood J, Loui R P, et al. Implementation of a content-scanning module for an internet firewall. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa, CA, USA, April 2003
Song T, Zhang W, Tang Z Z, et al. Alphabet based selected character decoding for area efficient pattern matching architecture on FPGAs. In: The 2nd International Conference on Embedded Software and Systems (ICESS-05), Xi’an, China
Song T, Tang Z Z, Wang D S. Multilevel pattern matching architecture for network intrusion detection and prevention. In: International Conference on Embedded Software and Systems (ICESS-07), Daegu, Republic of Korea. 2007
Sidhu R, Prasanna V K. Fast regular expression matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa Valley, CA, April, 2001
Boyer R S, Moore J S. A fast string searching algorithm. Commun ACM, 1977, 20(10): 762–772
Knuth D E, Morris J H, Pratt V R. Fast pattern matching in strings. SIAM J Comput, 1977, 6(1): 323–350
Author information
Authors and Affiliations
Corresponding author
Additional information
Supported by the National Natural Science Foundation of China (Grant No. 60803002), and the Excellent Young Scholars Research Fund of Beijing Institute of Technology
Rights and permissions
About this article
Cite this article
Song, T., Wang, D. & Tang, Z. A parameterized multilevel pattern matching architecture on FPGAs for network intrusion detection and prevention. Sci. China Ser. F-Inf. Sci. 52, 949–963 (2009). https://doi.org/10.1007/s11432-009-0024-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-009-0024-x