ABSTRACT
Packet inspection is widely employed in application-layer protocol analyzing systems to enable accurate protocol identification. Many existing systems, however, fail to meet the requirement of keeping up with wire speed in networking. There are two limitations: (1) software-based matching schemes are usually in a sequential manner which is slow and inefficient; (2) fast hardware-based matching schemes are inapplicable to network packet processing for lacking of intrinsic support for multiple flows.
This paper proposes a novel approach for application-layer protocol identification called Co-Match, which combines software and hardware together to achieve fast and efficient signature matching for multiple flows. First, a grouping scheme is adopted to organize signatures into several matching sets. With this scheme, each packet is only matched against a subset of signatures, bringing about a remarkable improvement of matching speed in software. Second, an FPGA-based coprocessor is developed in order to support fast parallel regular expression matching for multiple flows in hardware. Moreover, a hardware-based flow-level traffic load balancer is employed to parallel multi-flow processing on multiple CPU cores. Experimental results show that our approach is efficient to handle multiple flows while system throughput can achieve the wire speed of Gigabit Ethernet links with moderate CPU usage.
- Y.-H.E. Yang, W. Jiang, and V. K. Prasanna, "Compact Architecture for High-Throughput Regular Expression Matching on FPGA", in ANCS'08, 2008, pp. 30--39. Google ScholarDigital Library
- A. W. Moore and K. Papagiannaki, "Toward the Accurate Identification of Network Applications", in Passive and Active Network Measurement, 2005, pp. 41--54. Google ScholarDigital Library
- H. Dreger, A. Feldmann, M. Mai, V. Paxson and R. Sommer, "Dynamic application-layer protocol analysis for network intrusion detection", in Proceedings of the 15th conference on USENIX Security Symposium. vol. 15, 2006. Google ScholarDigital Library
- J. Levandoski, E. Sommer and M. Strait, "Application Layer Packet Classifier for Linux", http://17-filter.sourceforge.net/.Google Scholar
- Cisco Systems Inc., Network Based Application Recognition, http://www.cisco.com/en/US/products/ps6616/products_ios_ protocol_group_home.htmlGoogle Scholar
- F. Yu, Z. Chen, Y. Diao, T. V. Lakshman and R. H. Katz, "Fast and memory-efficient regular expression matching for deep packet inspection", in ANCS'06, 2006, pp. 93--102. Google ScholarDigital Library
- R. Sidhu and V. K. Prasanna, "Fast Regular Expression Matching Using FPGAs", in FCCM'01, 2001, pp. 227--238. Google ScholarDigital Library
- C.-H. Lin, C.-T. Huang, C.-P. Jiang, and S.-C. Chang, "Optimization of regular expression pattern matching circuits on FPGA", in Proceedings of the conference on Design, automation and test in Europe, 2006, pp. 12--17. Google ScholarDigital Library
- M. Becchi and P. Crowley, "Efficient Regular Expression Evaluation: Theory to Practice", in ANCS'08, 2008, pp. 50--59. Google ScholarDigital Library
- N. Yamagaki, R. Sidhu, and S. Kamiya, "High-speed regular expression matching engine using multi-character NFA," in FPL'08, 2008, pp. 131--136.Google Scholar
- Official IPP2P homepage, http://www.ipp2p.org/.Google Scholar
- D. Guo, G. Liao, L. N. Bhuyan, B. Liu, Jianxun and J. Ding, "A scalable multithreaded L7-filter design for multi-core servers", in ANCS'08, 2008, pp. 60--68. Google ScholarDigital Library
- R. Wojtczuk, Libnids, http://libnids.sourceforge.net/.Google Scholar
- S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese, "Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia", in ANCS'07, 2007, pp. 155--164. Google ScholarDigital Library
- A. Majumder, R. Rastogi, and S. Vanama, "Scalable regular expression matching on data streams," in ACM SIGMOD 2008, 2008, pp. 161--172. Google ScholarDigital Library
- Xilinx, http://www.xilinx.com/.Google Scholar
- MIT DARPA Intrusion Detection Evaluation Data Set, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999data.html/.Google Scholar
- GNU Regex Library, http://www.gnu.org/s/libc/manual/html_node/Regular-Expressions.html/.Google Scholar
- J. Bispo, I. Sourdis, J. M. P. Cardoso and S. Vassiliadis, "Regular expression matching for reconfigurable packet inspection", in FPT'06, 2006, pp. 119--126.Google ScholarCross Ref
- C. R. Clark and D. E. Schimmel, "Scalable Pattern Matching for High Speed Networks", in FCCM'04, 2004, pp. 249--257. Google ScholarDigital Library
- S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner, "Algorithms to accelerate multiple regular expressions matching for deep packet inspection", in ACM SIGCOMM 2006, 2006, pp. 339--350. Google ScholarDigital Library
- M. Becchi and S. Cadambi, "Memory-Efficient Regular Expression Search Using State Merging," in INFOCOM 2007, 2007, pp. 1064--1072.Google Scholar
- Receive Side Scaling (RSS), http://technet.microsoft.com/en-us/network/dd277646.aspx.Google Scholar
- B. Haagdorens, T. Vermeiren and M. Goossens, "Improving the performance of signature-based network intrusion detection sensors by multi-threading", In WISA'04, 2004, pp. 188--203. Google ScholarDigital Library
- V. Paxson, R. Sommer and N. Weaver, "An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention", in IEEE Sarnoff Symposium, 2007, pp. 1--7.Google ScholarCross Ref
Index Terms
Co-match: fast and efficient packet inspection for multiple flows
Recommendations
Design and implementation of a plesiochronous multi-core 4x4 network-on-chip FPGA platform with MPI HAL support
FPGAworld '09: Proceedings of the 6th FPGAworld ConferenceThe Multi-Core NoC is a 4 by 4 Mesh NoC targeted for Altera FPGAs. It implements a deflective routing policy and is used to connect sixteen NIOS II processors. Each NIOS II is connected to the NoC via an address-mapped Resource Network Interface.
The ...
An efficient sparse matrix format for accelerating regular expression matching on field-programmable gate arrays
Regular expression matching is widely used in many programming languages and applications. A regular expression is transformed into a deterministic finite automata DFA for processing. However, the DFA requires large memory resources because of the state ...
A DFA with Extended Character-Set for Fast Deep Packet Inspection
ICPP '11: Proceedings of the 2011 International Conference on Parallel ProcessingDeep packet inspection (DPI), based on regular expressions, is expressive, compact, and efficient in specifying attack signatures. We focus on their implementations based on general-purpose processors that are cost-effective and flexible to update. In ...
Comments