skip to main content
10.1145/1323548.1323571acmconferencesArticle/Chapter ViewAbstractPublication PagesancsConference Proceedingsconference-collections
research-article

Compiling PCRE to FPGA for accelerating SNORT IDS

Published: 03 December 2007 Publication History

Abstract

Deep Payload Inspection systems like SNORT and BRO utilize regular expression for their rules due to their high expressibility and compactness. The SNORT IDS system uses the PCRE Engine for regular expression matching on the payload. The software based PCRE Engine utilizes an NFA engine based on certain opcodes which are determined by the regular expression operators in a rule. Each rule in the SNORT ruleset is translated by PCRE compiler into an unique regular expression engine. Since the software based PCRE engine can match the payload with a single regular expression at a time, and needs to do so for multiple rules in the ruleset, the throughput of the SNORT IDS system dwindles as each packet is processed through a multitude of regular expressions.
In this paper we detail our implementation of hardware based regular expression engines for the SNORT IDS by transforming the PCRE opcodes generated by the PCRE compiler from SNORT regular expression rules. Our compiler generates VHDL code corresponding to the opcodes generated for the SNORT regular expression rules. We have tuned our hardware implementation to utilize an NFA based regular expression engine, using greedy quantifiers, in much the same way as the software based PCRE engine. Our system implements a regular expression only once for each new rule in the SNORT ruleset, thus resulting in a fast system that scales well with new updates. We implement two hundred PCRE engines based on a plethora of SNORT IDS rules, and use a Virtex-4 LX200 FPGA, on the SGI RASC RC 100 Blade connected to the SGI ALTIX 4700 supercomputing system as a testbed. We obtain an interface through-put of (12.9 GBits/s) and also a maximum speedup of 353X over software based PCRE execution.

References

[1]
Lin. Tan, Timothy Sherwood, "A High Throughput String Matching Architecture for Intrusion Detection and Prevention," Proceedings of the 32nd International Symposium on Computer Architecture (ISCA 2005).
[2]
"Application Layer Packet Classifier for Linux," Justin Levandoski, Ethan Sommer and Matthew Strait, http://l7-filter.sourceforge.net/.
[3]
"Automatic Compilation Framework for Bloom Filter Based Intrusion Detection," Dinesh C. Suresh, Zhi Guo, Betul Buyukkurt, Walid A. Najjar, ARC 2006: 413--418.
[4]
SNORT IDS homepage, "http://snort.org"
[5]
BRO IDS homepage, "http://bro-ids.org/Overview.html"
[6]
Perl Compatible Regular Expressions(PCRE) library, "ftp.csx.cam.ac.uk/pub/software/programming/pcre"
[7]
Zachary K. Baker, Viktor K. Prasanna, "A Methodology for the Synthesis of Efficient Intrusion Detection Systems on FPGAs" Proceedings of the Twelfth Annual IEEE Symposium on Field Programmable Custom Computing Machines 2004.
[8]
Young H. Cho and William H. MangioneSmith, "A Pattern Matching Coprocessor for Network Security in" Proceedings of DAC 2005, June 13 - 17, 2005.
[9]
Young H. Cho, Shiva Navab, and William H. Mangione-Smith, "Specialized Hardware for Deep Network Packet Filtering," in Proceedings of 12th Conference on Field Programmable Logic and Applications 2002, pp. 452--461, Springer-Verlag.
[10]
Fang Yu and Zhifeng Chen and Yanlei Diao and T. V. Lakshman and Randy H. Katz, "Fast and memory-efficient regular expression matching for deep packet inspection," in Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems.
[11]
Benjamin C. Brodie and David E. Taylor and Ron K. Cytron, "A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching," in Proceedings of the 33rd annual international symposium on Computer Architecture, 2006.
[12]
Sailesh Kumar and Sarang Dharmapurikar and Fang Yu and Patrick Crowley and Jonathan Turner, "Algorithms to accelerate multiple regular expressions matching for deep packet inspection", in Proceedings of the SIGCOMM '06 conference on Applications, technologies, architectures, and protocols for computer communications.
[13]
Zachary K. Baker, Viktor K. Prasanna, "Time and Area Efficient Pattern Matching on FPGAs" in Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays.
[14]
James Moscola and John Lockwood and Ronald Loui and Michael Pachos, "Implementation of a Content-Scanning Module for an Internet Firewall" in Proceedings of IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM) 2003.
[15]
John Lockwood, "An open platform for development of network processing modules in reprogrammable hardware", In Proceedings of IEC DesignCon'01, pages WB-19, Santa Clara, CA, Jan. 2001.
[16]
John W. Lockwood and Naji Naufel and Jon S. Turner and David E. Taylor, "Reprogrammable network packet processing on the field programmable port extender FPX", in Proceedings of ACM International Symposium on Field Programmable Gate Array (FPGA'2001), pp 87--93, Feb 2001.
[17]
R. Sidhu and V. Prasanna, "Fast Regular Expression Matching using FPGAs", in Proceedings of IEEE Symposium on Field-Programmable Custom Computing Machines April 2001.
[18]
Cheng-Hung Lin and Chih-Tsun Huang and Chang-Ping Jiang and Shih-Chieh Chang, "Optimization of regular expression pattern matching circuits on FPGA," in Proceedings of the conference on Design, automation and test in Europe 2006.
[19]
W. Feng and P. Balaji and C. Baron and L. N. Bhuyan and D. K. Panda, "Performance Characterization of a 10-Gigabit Ethernet TOE," in Proceedings of the 13th Symposium on High Performance Interconnects 2005.
[20]
SGI Document Number: 007-4718-006, "Reconfigurable Application-Specific Computing User's Guide", "http://techpubs.sgi.com"
[21]
Anurag Tiwari and Karen A. Tomko, "Saving Power by Mapping Finite-State Machines into Embedded Memory Blocks in FPGAs," in Proceedings of the conference on Design, automation and test in Europe 2004.
[22]
João Bispo and Ioannis Sourdis and João M. P. Cardoso and Stamatis Vassiliadis, "Synthesis of Regular Expressions Targeting FPGAs: Current Status and Open Issues.," in Proceedings of ARC 2007.
[23]
I. Sourdis and J. C. Bispo and J. M. P. Cardoso and S. Vassiliadis, "Regular Expression Matching in Reconfigurable Hardware," in International Journal on VLSI and Signal Processing.

Cited By

View all
  • (2024)DEVELOPMENT OF A MODEL OF A CYBER THREATS DETECTION SYSTEM WITH SUPPORT AND UPDATE OF ATTACK DETECTION RULESInformation and communication technologies, electronic engineering10.23939/ictee2024.02.0604:2(60-71)Online publication date: Sep-2024
  • (2024)A Transducers-based Programming Framework for Efficient Data TransformationProceedings of the 2024 International Conference on Parallel Architectures and Compilation Techniques10.1145/3656019.3676891(66-77)Online publication date: 14-Oct-2024
  • (2023)Exploiting Structure in Regular Expression QueriesProceedings of the ACM on Management of Data10.1145/35892971:2(1-28)Online publication date: 20-Jun-2023
  • Show More Cited By

Index Terms

  1. Compiling PCRE to FPGA for accelerating SNORT IDS

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ANCS '07: Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
    December 2007
    212 pages
    ISBN:9781595939456
    DOI:10.1145/1323548
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 03 December 2007

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. deep payload inspection
    2. intrusion detection system
    3. nondeterministic nite automata
    4. regular expressions

    Qualifiers

    • Research-article

    Conference

    ANCS07

    Acceptance Rates

    ANCS '07 Paper Acceptance Rate 20 of 70 submissions, 29%;
    Overall Acceptance Rate 88 of 314 submissions, 28%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)20
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 12 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)DEVELOPMENT OF A MODEL OF A CYBER THREATS DETECTION SYSTEM WITH SUPPORT AND UPDATE OF ATTACK DETECTION RULESInformation and communication technologies, electronic engineering10.23939/ictee2024.02.0604:2(60-71)Online publication date: Sep-2024
    • (2024)A Transducers-based Programming Framework for Efficient Data TransformationProceedings of the 2024 International Conference on Parallel Architectures and Compilation Techniques10.1145/3656019.3676891(66-77)Online publication date: 14-Oct-2024
    • (2023)Exploiting Structure in Regular Expression QueriesProceedings of the ACM on Management of Data10.1145/35892971:2(1-28)Online publication date: 20-Jun-2023
    • (2023)Rosebud: Making FPGA-Accelerated Middlebox Development More PleasantProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582067(586-605)Online publication date: 25-Mar-2023
    • (2023)Bolt: Scalable and Cost-Efficient Multistring Pattern Matching With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2022.320252331:2(846-861)Online publication date: Apr-2023
    • (2023)Analysis of TLS Prefiltering for IDS AccelerationPassive and Active Measurement10.1007/978-3-031-28486-1_5(85-109)Online publication date: 21-Mar-2023
    • (2022)Applications and Techniques for Fast Machine Learning in ScienceFrontiers in Big Data10.3389/fdata.2022.7874215Online publication date: 12-Apr-2022
    • (2022)Reconfigurable signature-based information security tools of computer systems10.15407/akademperiodyka.458.297Online publication date: 2022
    • (2022)Deep Learning Based Malware Traffic Classification for Power Internet of Things Network SecurityProceedings of the 7th International Conference on Big Data and Computing10.1145/3545801.3545820(131-137)Online publication date: 27-May-2022
    • (2022)FidasProceedings of the 49th Annual International Symposium on Computer Architecture10.1145/3470496.3533043(1029-1041)Online publication date: 18-Jun-2022
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media