skip to main content
10.1145/1882486.1882538acmconferencesArticle/Chapter ViewAbstractPublication PagesancsConference Proceedingsconference-collections
research-article

Co-match: fast and efficient packet inspection for multiple flows

Authors Info & Claims
Published:19 October 2009Publication History

ABSTRACT

Packet inspection is widely employed in application-layer protocol analyzing systems to enable accurate protocol identification. Many existing systems, however, fail to meet the requirement of keeping up with wire speed in networking. There are two limitations: (1) software-based matching schemes are usually in a sequential manner which is slow and inefficient; (2) fast hardware-based matching schemes are inapplicable to network packet processing for lacking of intrinsic support for multiple flows.

This paper proposes a novel approach for application-layer protocol identification called Co-Match, which combines software and hardware together to achieve fast and efficient signature matching for multiple flows. First, a grouping scheme is adopted to organize signatures into several matching sets. With this scheme, each packet is only matched against a subset of signatures, bringing about a remarkable improvement of matching speed in software. Second, an FPGA-based coprocessor is developed in order to support fast parallel regular expression matching for multiple flows in hardware. Moreover, a hardware-based flow-level traffic load balancer is employed to parallel multi-flow processing on multiple CPU cores. Experimental results show that our approach is efficient to handle multiple flows while system throughput can achieve the wire speed of Gigabit Ethernet links with moderate CPU usage.

References

  1. Y.-H.E. Yang, W. Jiang, and V. K. Prasanna, "Compact Architecture for High-Throughput Regular Expression Matching on FPGA", in ANCS'08, 2008, pp. 30--39. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. W. Moore and K. Papagiannaki, "Toward the Accurate Identification of Network Applications", in Passive and Active Network Measurement, 2005, pp. 41--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. H. Dreger, A. Feldmann, M. Mai, V. Paxson and R. Sommer, "Dynamic application-layer protocol analysis for network intrusion detection", in Proceedings of the 15th conference on USENIX Security Symposium. vol. 15, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. J. Levandoski, E. Sommer and M. Strait, "Application Layer Packet Classifier for Linux", http://17-filter.sourceforge.net/.Google ScholarGoogle Scholar
  5. Cisco Systems Inc., Network Based Application Recognition, http://www.cisco.com/en/US/products/ps6616/products_ios_ protocol_group_home.htmlGoogle ScholarGoogle Scholar
  6. F. Yu, Z. Chen, Y. Diao, T. V. Lakshman and R. H. Katz, "Fast and memory-efficient regular expression matching for deep packet inspection", in ANCS'06, 2006, pp. 93--102. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. R. Sidhu and V. K. Prasanna, "Fast Regular Expression Matching Using FPGAs", in FCCM'01, 2001, pp. 227--238. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. C.-H. Lin, C.-T. Huang, C.-P. Jiang, and S.-C. Chang, "Optimization of regular expression pattern matching circuits on FPGA", in Proceedings of the conference on Design, automation and test in Europe, 2006, pp. 12--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. M. Becchi and P. Crowley, "Efficient Regular Expression Evaluation: Theory to Practice", in ANCS'08, 2008, pp. 50--59. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. N. Yamagaki, R. Sidhu, and S. Kamiya, "High-speed regular expression matching engine using multi-character NFA," in FPL'08, 2008, pp. 131--136.Google ScholarGoogle Scholar
  11. Official IPP2P homepage, http://www.ipp2p.org/.Google ScholarGoogle Scholar
  12. D. Guo, G. Liao, L. N. Bhuyan, B. Liu, Jianxun and J. Ding, "A scalable multithreaded L7-filter design for multi-core servers", in ANCS'08, 2008, pp. 60--68. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. R. Wojtczuk, Libnids, http://libnids.sourceforge.net/.Google ScholarGoogle Scholar
  14. S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese, "Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia", in ANCS'07, 2007, pp. 155--164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. A. Majumder, R. Rastogi, and S. Vanama, "Scalable regular expression matching on data streams," in ACM SIGMOD 2008, 2008, pp. 161--172. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Xilinx, http://www.xilinx.com/.Google ScholarGoogle Scholar
  17. MIT DARPA Intrusion Detection Evaluation Data Set, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999data.html/.Google ScholarGoogle Scholar
  18. GNU Regex Library, http://www.gnu.org/s/libc/manual/html_node/Regular-Expressions.html/.Google ScholarGoogle Scholar
  19. J. Bispo, I. Sourdis, J. M. P. Cardoso and S. Vassiliadis, "Regular expression matching for reconfigurable packet inspection", in FPT'06, 2006, pp. 119--126.Google ScholarGoogle ScholarCross RefCross Ref
  20. C. R. Clark and D. E. Schimmel, "Scalable Pattern Matching for High Speed Networks", in FCCM'04, 2004, pp. 249--257. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner, "Algorithms to accelerate multiple regular expressions matching for deep packet inspection", in ACM SIGCOMM 2006, 2006, pp. 339--350. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. M. Becchi and S. Cadambi, "Memory-Efficient Regular Expression Search Using State Merging," in INFOCOM 2007, 2007, pp. 1064--1072.Google ScholarGoogle Scholar
  23. Receive Side Scaling (RSS), http://technet.microsoft.com/en-us/network/dd277646.aspx.Google ScholarGoogle Scholar
  24. B. Haagdorens, T. Vermeiren and M. Goossens, "Improving the performance of signature-based network intrusion detection sensors by multi-threading", In WISA'04, 2004, pp. 188--203. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. V. Paxson, R. Sommer and N. Weaver, "An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention", in IEEE Sarnoff Symposium, 2007, pp. 1--7.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Co-match: fast and efficient packet inspection for multiple flows

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in
    • Published in

      cover image ACM Conferences
      ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
      October 2009
      227 pages
      ISBN:9781605586304
      DOI:10.1145/1882486

      Copyright © 2009 ACM

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 19 October 2009

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article

      Acceptance Rates

      Overall Acceptance Rate88of314submissions,28%

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader