ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Fast and memory-efficient regular expression matching for deep packet inspection
Full text PdfPdf (1.21 MB)
Source Symposium On Architecture For Networking And Communications Systems archive
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems table of contents
San Jose, California, USA
SESSION: Content inspection table of contents
Pages: 93 - 102  
Year of Publication: 2006
ISBN:1-59593-580-0
Authors
Fang Yu  UC Berkeley
Zhifeng Chen  Google Inc.
Yanlei Diao  University of Massachusetts, Amherst
T. V. Lakshman  Bell Laboratories, Lucent Technologies
Randy H. Katz  UC Berkeley
Sponsors
ACM: Association for Computing Machinery
SIGARCH: ACM Special Interest Group on Computer Architecture
SIGCOMM: ACM Special Interest Group on Data Communication
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 32,   Downloads (12 Months): 206,   Citation Count: 21
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1185347.1185360
What is a DOI?

ABSTRACT

Packet content scanning at high speed has become extremely important due to its applications in network security, network monitoring, HTTP load balancing, etc. In content scanning, the packet payload is compared against a set of patterns specified as regular expressions. In this paper, we first show that memory requirements using traditional methods are prohibitively high for many patterns used in packet scanning applications. We then propose regular expression rewrite techniques that can effectively reduce memory usage. Further, we develop a grouping scheme that can strategically compile a set of regular expressions into several engines, resulting in remarkable improvement of regular expression matching speed without much increase in memory usage. We implement a new DFA-based packet scanner using the above techniques. Our experimental results using real-world traffic and patterns show that our implementation achieves a factor of 12 to 42 performance improvement over a commonly used DFA-based scanner. Compared to the state-of-art NFA-based implementation, our DFA-based packet scanner achieves 50 to 700 times speedup.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
J. Levandoski, E. Sommer, and M. Strait, "Application Layer Packet Classifier for Linux." http://l7-filter.sourceforge.net/.
 
2
"SNORT Network Intrusion Detection System." http://www.snort.org.
 
3
"Bro Intrusion Detection System." http://bro-ids.org/Overview.html.
 
4
L. Tan and T. Sherwood, "A High Throughput String Matching Architecture for Intrusion Detection and Prevention," Proc. LISA, 2005.
 
5
Young H. Cho , William H. Mangione-Smith, Deep Packet Filter with Dedicated Logic and Read Only Memories, Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.125-134, April 20-23, 2004
6
Zachary K. Baker , Viktor K. Prasanna, Time and area efficient pattern matching on FPGAs, Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays, February 22-24, 2004, Monterey, California, USA  [doi>10.1145/968280.968312]
 
7
Zachary K. Baker , Viktor K. Prasanna, A Methodology for Synthesis of Efficient Intrusion Detection Systems on FPGAs, Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.135-144, April 20-23, 2004
 
8
M. Aldwairi, T. Conte, and P. Franzon, "Configurable string matching hardware for speedup up intrusion detection," Proc. WASSA, 2004.
 
9
S. Dharmapurikar, M. Attig, and J. Lockwood, "Deep packet inspection using parallel bloom filters," IEEE Micro, 2004.
 
10
Fang Yu , Randy H. Katz , T. V. Lakshman, Gigabit Rate Packet Pattern-Matching Using TCAM, Proceedings of the Network Protocols, 12th IEEE International Conference on (ICNP'04), p.174-183, October 05-08, 2004
11
Young H. Cho , William H. Mangione-Smith, A pattern matching coprocessor for network security, Proceedings of the 42nd annual conference on Design automation, June 13-17, 2005, San Diego, California, USA  [doi>10.1145/1065579.1065641]
12
Todd J. Green , Ashish Gupta , Gerome Miklau , Makoto Onizuka , Dan Suciu, Processing XML streams with deterministic automata and stream indexes, ACM Transactions on Database Systems (TODS), v.29 n.4, December 2004  [doi>10.1145/1042046.1042051]
13
Yanlei Diao , Mehmet Altinel , Michael J. Franklin , Hao Zhang , Peter Fischer, Path sharing and predicate evaluation for high-performance XML filtering, ACM Transactions on Database Systems (TODS), v.28 n.4, p.467-516, December 2003  [doi>10.1145/958942.958947]
 
14
John E. Hopcroft , Rajeev Motwani , Jeffrey D. Ullman, Introduction to Automata Theory, Languages, and Computation (3rd Edition), Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2006
15
Robin Sommer , Vern Paxson, Enhancing byte-level network intrusion detection signatures with context, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948145]
 
16
James Moscola , John Lockwood , Ronald P. Loui , Michael Pachos, Implementation of a Content-Scanning Module for an Internet Firewall, Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.31, April 09-11, 2003
 
17
Reetinder Sidhu , Viktor K. Prasanna, Fast Regular Expression Matching Using FPGAs, Proceedings of the the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.227-238, April 29-May 02, 2001  [doi>10.1109/FCCM.2001.22]
 
18
B. L. Hutchings , R. Franklin , D. Carver, Assisting Network Intrusion Detection with Reconfigurable Hardware, Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.111, September 22-24, 2002
 
19
Christopher R. Clark , David E. Schimmel, Scalable Pattern Matching for High Speed Networks, Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, p.249-257, April 20-23, 2004
20
Sailesh Kumar , Sarang Dharmapurikar , Fang Yu , Patrick Crowley , Jonathan Turner, Algorithms to accelerate multiple regular expressions matching for deep packet inspection, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
 
21
"Standard for Information Technology, Portable Operating System Interface (POSIX)," Portable Applications Standards Committee of IEEE Computer Society and the Open Group.
 
22
C. L. A. Clarke and G. V. Cormack, "On the use of regular expressions for searching text," Technical Report CS-95-07, Department of Computer Science, University of Waterloo, 1995.
 
23
J. A. Kahle , M. N. Day , H. P. Hofstee , C. R. Johns , T. R. Maeurer , D. Shippy, Introduction to the cell multiprocessor, IBM Journal of Research and Development, v.49 n.4/5, p.589-604, July 2005
 
24
"MIT DARPA Intrusion Detection Data Sets." http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.
 
25
V. Paxson et al., "Flex: A fast scanner generator." http://www.gnu.org/software/flex/.
 
26
Perl compatible Regular Expression, http://www.pcre.org/
 
27
F. Yu, Z. Chen, Y. Diao, T. V. Lakshman and R. H. Katz,, "Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection," UC Berkeley technical report, May 2006.
28
Benjamin C. Brodie , David E. Taylor , Ron K. Cytron, A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching, Proceedings of the 33rd annual international symposium on Computer Architecture, p.191-202, June 17-21, 2006

CITED BY  21
Ioannis Sourdis , João Bispo , João M. Cardoso , Stamatis Vassiliadis, Regular Expression Matching in Reconfigurable Hardware, Journal of Signal Processing Systems, v.51 n.1, p.99-121, April 2008
Jagrati Agrawal , Yanlei Diao , Daniel Gyllstrom , Neil Immerman, Efficient pattern matching over event streams, Proceedings of the 2008 ACM SIGMOD international conference on Management of data, June 09-12, 2008, Vancouver, Canada
Michela Becchi , Patrick Crowley, An improved algorithm to accelerate regular expression evaluation, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
Tomas Hruby , Kees van Reeuwijk , Herbert Bos, Ruler: high-speed packet matching and rewriting on NPUs, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
Christopher L. Hayes , Yan Luo, DPICO: a high speed deep packet inspection engine using compact finite automata, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
Abhishek Mitra , Walid Najjar , Laxmi Bhuyan, Compiling PCRE to FPGA for accelerating SNORT IDS, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
Michela Becchi , Patrick Crowley, A hybrid finite automaton for practical deep packet inspection, Proceedings of the 2007 ACM CoNEXT conference, December 10-13, 2007, New York, New York
Sheng-Ya Lin , Cheng-Chung Tan , Jyh-Charn Liu , Michael Oehler, High-speed detection of unsolicited bulk emails, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
Domenico Ficara , Stefano Giordano , Gregorio Procissi, An improved DFA for fast regular expression matching, ACM SIGCOMM Computer Communication Review, v.38 n.5, October 2008
Anirban Majumder , Rajeev Rastogi , Sriram Vanama, Scalable regular expression matching on data streams, Proceedings of the 2008 ACM SIGMOD international conference on Management of data, June 09-12, 2008, Vancouver, Canada
Shijin Kong , Randy Smith , Cristian Estan, Efficient signature matching with multiple alphabet compression tables, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey
Randy Smith , Cristian Estan , Somesh Jha , Shijin Kong, Deflating the big bang: fast and scalable deep packet inspection with extended finite automata, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Michela Becchi , Patrick Crowley, Efficient regular expression evaluation: theory to practice, Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 06-07, 2008, San Jose, California
Charlie Wiseman , Jonathan Turner , Michela Becchi , Patrick Crowley , John DeHart , Mart Haitjema , Shakir James , Fred Kuhns , Jing Lu , Jyoti Parwatikar , Ritun Patney , Michael Wilson , Ken Wong , David Zar, A remotely accessible network processor-based router for network experimentation, Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 06-07, 2008, San Jose, California
Danhua Guo , Guangdeng Liao , Laxmi N. Bhuyan , Bin Liu , Jianxun Jason Ding, A scalable multithreaded L7-filter design for multi-core servers, Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 06-07, 2008, San Jose, California
Yi-Hua E. Yang , Weirong Jiang , Viktor K. Prasanna, Compact architecture for high-throughput regular expression matching on FPGA, Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 06-07, 2008, San Jose, California
Michael Foukarakis , Demetres Antoniades , Michalis Polychronakis, Deep packet anonymization, Proceedings of the Second European Workshop on System Security, p.16-21, March 31-31, 2009, Nuremburg, Germany
Cheng-Hung Lin , Hsien-Sheng Hsiao, Hierarchical state machine architecture for regular expression pattern matching, Proceedings of the 19th ACM Great Lakes symposium on VLSI, May 10-12, 2009, Boston Area, MA, USA
Michela Becchi , Patrick Crowley, Extending finite automata to efficiently match Perl-compatible regular expressions, Proceedings of the 2008 ACM CoNEXT Conference, p.1-12, December 09-12, 2008, Madrid, Spain
Weirong Jiang , Viktor K. Prasanna, Field-split parallel architecture for high performance multi-match packet classification using FPGAs, Proceedings of the twenty-first annual symposium on Parallelism in algorithms and architectures, August 11-13, 2009, Calgary, AB, Canada
Yi-Hua E. Yang , Viktor K. Prasanna, Software toolchain for large-scale RE-NFA construction on FPGA, International Journal of Reconfigurable Computing, 2009, p.1-10, January 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)


General Terms:
Algorithms, Design, Security


Keywords:
DFA, deep packet, inspection, intrusion detection, regular expressions

Collaborative Colleagues:
Fang Yu: colleagues
Zhifeng Chen: colleagues
Yanlei Diao: colleagues
T. V. Lakshman: colleagues
Randy H. Katz: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player