skip to main content
10.1145/1872007.1872032acmconferencesArticle/Chapter ViewAbstractPublication PagesancsConference Proceedingsconference-collections
research-article

Range hash for regular expression pre-filtering

Published: 25 October 2010 Publication History

Abstract

Recently, major Internet carriers and vendors successfully tested high-speed backbone networks at 100-Gbps line speed to support rapid growth of the Internet traffic demands. In addition, traffic is getting more concentrated to points such as data centers, and demand for protecting such high-speed networks from attack traffic is increasing. Deep Packet Inspection (DPI) with Regular Expression (RegEx) detection is the de facto defense mechanism agains network intrusions. However, current RegEx detection systems cannot keep up with the upcoming high-speed line rate. The RegExes consist of three types of components, exact strings, character classes (CC), and repetitions. Exact string and repetition matching have been widely studied by RegEx research community for better performance. Yet, although more than 55% of RegExes in Snort signature set contain at least one CC, hardware based solutions that focus on CC detection is limited.
In this paper we propose a new CC detection architecture called Range Hash that is suitable for high-speed, compact CC detection. Additionally, we propose a practical application of the Range Hash architecture where it can be used as a pre-filter for a Regular Expression detection system to increase overall RegEx detection performance. Based on our hardware prototype design which runs at 250MHz, Range Hash can reach to 100-Gbps CC detection throughput with today's FPGA chips.

References

[1]
Akamai, "Real-Time Web Moniter".
[2]
Cisco Press Release, "Cisco Introduces Foundation for Next-Generation Internet: The Cisco CRS-3 Carrier Routing System".
[3]
IEEE Press Release, "IEEE Launches Next Generation of High-Rate Ethernet with New IEEE 802.3ba Standard".
[4]
Juniper Press Release, "Industry Leaders Demonstrate 100 Gigabit Ethernet Interoperability at OFC".
[5]
Snort network intrusion detection system. http://www.snort.org.
[6]
Verizon and Nokia Siemens Networks Set New Record for 100 Gbps Optical Transmission. http://newscenter.verizon.com/press-releases/verizon/2008/verizon-and-nokia-siemens.html.
[7]
K. Anagnostakis, S. Antonatos, E. Markatos, and M. Polychronakis. E2XB: A Domain-specific String Matching Algorithm for Intrusion Detection. In IFIP, 2003.
[8]
N. S. Artan, M. Bando, and H. J. Chao. Boundary hash for memory-efficient deep packet inspection. In ICC, pages 1732--1737, 2008.
[9]
N. S. Artan and H. J. Chao. TriBiCa: Trie bitmap content analyzer for high-speed network intrusion detection. In INFOCOM, pages 125--133, 2007.
[10]
F. Baboescu and G. Varghese. Scalable packet classification. IEEE/ACM Transactions on Networking (TON), 13(1):14, 2005.
[11]
Z. K. Baker, H.-J. Jung, and V. K. Prasanna. Regular expression software deceleration for intrusion detection systems. In FPL, pages 1--8, 2006.
[12]
M. Bando, N. S. Artan, and H. J. Chao. Highly memory-efficient LogLog Hash for deep packet inspection. In GLOBECOM, pages 1--6, 2008.
[13]
M. Bando, N. S. Artan, and H. J. Chao. LaFA: Lookahead finite automata for scalable regular expression detection. In ANCS, pages 40--49, 2009.
[14]
M. Bando, N. S. Artan, N. Mehta, Y. Guan, and H. J. Chao. Hardware implementation for scalable lookahead regular expression detection. In RAW, 2010.
[15]
M. Becchi and S. Cadambi. Memory-efficient regular expression search using state merging. In INFOCOM, pages 1064--1072, 2007.
[16]
M. Becchi and P. Crowley. A hybrid finite automaton for practical deep packet inspection. In CoNEXT, 2007.
[17]
M. Becchi and P. Crowley. An improved algorithm to accelerate regular expression evaluation. In ANCS, pages 145--154, 2007.
[18]
M. Becchi and P. Crowley. Efficient regular expression evaluation: theory to practice. In ANCS, 2008.
[19]
M. Becchi and P. Crowley. Extending finite automata to efficiently match perl-compatible regular expressions. In CoNEXT, 2008.
[20]
J. Bispo, I. Sourdis, J. M. P. Cardoso, and S. Vassiliadis. Regular expression matching for reconfigurable packet inspection. In FPT, pages 119--126, 2006.
[21]
A. Bremler-Barr and D. Hendler. Space-efficient tcam-based classification using gray coding. In INFOCOM, pages 1388--1396, 2007.
[22]
J. L. Carter and M. N. Wegman. Universal classes of hash functions (extended abstract). In STOC, pages 106--112, 1977.
[23]
Y. H. Cho and W. H. Mangione-Smith. Deep network packet filter design for reconfigurable devices. Trans. on Embedded Computing Sys., 7(2):1--26, 2008.
[24]
S. Dharmapurikar, P. Krishnamurthy, T. S. Sproull, and J. W. Lockwood. Deep packet inspection using parallel bloom filters. Micro, 24(1):52--61, 2004.
[25]
D. Ficara, S. Giordano, G. Procissi, F. Vitucci, G. Antichi, and A. Di Pietro. An improved DFA for fast regular expression matching. SIGCOMM Comput. Commun. Rev., 38(5):29--40, 2008.
[26]
P. Gupta and N. Mckeown. Packet classification using hierarchical intelligent cuttings. In Hot Interconnects 1999, pages 34--41.
[27]
S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese. Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia. In ANCS, pages 155--164, 2007.
[28]
S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner. Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In SIGCOMM, pages 339--350, 2006.
[29]
S. Kumar, J. Turner, P. Crowley, and M. Mitzenmacher. Hexa: Compact data structures for faster packet processing. pages 246--255.
[30]
S. Kumar, J. Turner, and J. Williams. Advanced algorithms for fast and scalable deep packet inspection. In ANCS, pages 81--92, 2006.
[31]
T. V. Lakshman and D. Stiliadis. High-speed policy-based packet forwarding using efficient multi-dimensional range matching. In SIGCOMM 1998, pages 203--214.
[32]
Q. Li, E.-C. Chang, and M. Chan. On the effectiveness of ddos attacks on statistical filtering. In INFOCOM, pages 1373--1383, 2005.
[33]
J. Mirkovic and P. Reiher. A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Commun. Rev., 34(2):39--53, 2004.
[34]
A. Mitra, W. Najjar, and L. Bhuyan. Compiling PCRE to FPGA for accelerating SNORT IDS. In ANCS, pages 127--136, 2007.
[35]
M. Paolieri, I. Bonesana, and M. D. Santambrogio. ReCPU: A parallel and pipelined architecture for regular expression matching. In IFIP, VLSI - SoC., pages 19--24, 2007.
[36]
S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. Lockwood. Deep Packet Inspection using Parallel Bloom Filters. In HotI, pages 44--51, 2003.
[37]
S. Singh, F. Baboescu, G. Varghese, and J. Wang. Packet classification using multidimensional cutting. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, pages 213--224. ACM, 2003.
[38]
R. Smith, C. Estan, S. Jha, and S. Kong. Deflating the big bang: Fast and scalable deep packet inspection with extended finite automata. In SIGCOMM, 2008.
[39]
I. Sourdis, D. Pnevmatikatos, and S. Vassiliadis. Scalable multigigabit pattern matching for packet inspection. In VLSI, volume 16, pages 156--166, 2008.
[40]
H. Sun, Y. Zhaung, and H. J. Chao. A Principal Components Analysis-based Robust DDoS Defense System. In ICC, pages 1663--1669, 2008.
[41]
L. Tan, B. Brotherton, and T. Sherwood. Bit-split string-matching engines for intrusion detection and prevention. ACM Trans. Archit. Code Optim., 3(1):3--34, 2006.
[42]
N. Tuck, T. Sherwood, B. Calder, and G. Varghese. Deterministic memory-efficient string matching algorithms for intrusion detection. INFOCOM, 4:2628--2639 vol. 4, 2004.
[43]
J. van Lunteren. High-performance pattern-matching for intrusion detection. In INFOCOM 2006, pages 1--13.
[44]
F. Yu, Z. Chen, Y. Diao, T. V. Lakshman, and R. H. Katz. Fast and memory-efficient regular expression matching for deep packet inspection. In ANCS, pages 93--102, 2006.
[45]
F. Yu, R. Katz, and T. Lakshman. Gigabit rate packet pattern-matching using TCAM. In ICNP, pages 174--183, 2004.

Cited By

View all
  • (2023)Exploiting Structure in Regular Expression QueriesProceedings of the ACM on Management of Data10.1145/35892971:2(1-28)Online publication date: 20-Jun-2023
  • (2020)A Survey on FPGA Support for the Feasible Execution of Virtualized Network FunctionsIEEE Communications Surveys & Tutorials10.1109/COMST.2019.294369022:1(504-525)Online publication date: Sep-2021
  • (2019)A Client-Biased Cooperative Search Scheme in Blockchain-Based Data Markets2019 28th International Conference on Computer Communication and Networks (ICCCN)10.1109/ICCCN.2019.8847102(1-9)Online publication date: Jul-2019
  • Show More Cited By

Index Terms

  1. Range hash for regular expression pre-filtering

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ANCS '10: Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
    October 2010
    244 pages
    ISBN:9781450303798
    DOI:10.1145/1872007
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 25 October 2010

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. FPGA
    2. deep packet inspection
    3. hardware
    4. network intrusion detection system
    5. pre-filter
    6. range hash
    7. range matching
    8. regular expressions
    9. security

    Qualifiers

    • Research-article

    Conference

    ANCS '10
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 88 of 314 submissions, 28%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)3
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 21 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)Exploiting Structure in Regular Expression QueriesProceedings of the ACM on Management of Data10.1145/35892971:2(1-28)Online publication date: 20-Jun-2023
    • (2020)A Survey on FPGA Support for the Feasible Execution of Virtualized Network FunctionsIEEE Communications Surveys & Tutorials10.1109/COMST.2019.294369022:1(504-525)Online publication date: Sep-2021
    • (2019)A Client-Biased Cooperative Search Scheme in Blockchain-Based Data Markets2019 28th International Conference on Computer Communication and Networks (ICCCN)10.1109/ICCCN.2019.8847102(1-9)Online publication date: Jul-2019
    • (2019)A Massively Multi-Tenant Virtualized Network Intrusion Prevention Service on NFV Platform2019 28th International Conference on Computer Communication and Networks (ICCCN)10.1109/ICCCN.2019.8846924(1-9)Online publication date: Jul-2019
    • (2019)Protocol Analysis Method Based on State MachineHuman Centered Computing10.1007/978-3-030-37429-7_30(305-314)Online publication date: 12-Dec-2019
    • (2018)FPGA-based network intrusion detection for IEC 61850-based industrial networkICT Express10.1016/j.icte.2018.01.0024:1(1-5)Online publication date: Mar-2018
    • (2018)FPGA-Based Memory Efficient Shift-And Algorithm for Regular Expression MatchingApplied Reconfigurable Computing. Architectures, Tools, and Applications10.1007/978-3-319-78890-6_11(132-141)Online publication date: 8-Apr-2018
    • (2016)Finding nonequivalent classifiers in boolean space to reduce tcam usageIEEE/ACM Transactions on Networking10.1109/TNET.2015.240209324:2(968-981)Online publication date: 1-Apr-2016
    • (2014)A Bloom Filter-Based Monitoring Station for a Lawful Interception PlatformMultimedia Communications, Services and Security10.1007/978-3-319-07569-3_18(214-228)Online publication date: 2014
    • (2013)Hardware-Accelerated Regular Expression Matching with Overlap Handling on IBM PowerEN™ ProcessorProceedings of the 2013 IEEE 27th International Symposium on Parallel and Distributed Processing10.1109/IPDPS.2013.54(1254-1265)Online publication date: 20-May-2013
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media