Abstract
Multi-pattern matching is a critical technique for building high performance Network Intrusion Detection Systems (NIDS) and Deep Packet Inspection System (DPIS). Given a set of signature database, multi-pattern matching compares packet against patterns to detect the known attacks. Deterministic Finite Automaton (DFA) is widely used for multi-pattern matching in NIDS for its constant matching speed even in the worst case. Existing DFA-based works have claimed to achieve a high speed throughput at expenses of extremely high memory cost and logic complexity, so it fails to meet the memory space requirements of embedded system or high performance routers. In this paper, we propose a novel a memory-efficient multi-pattern matching acceleration scheme called Module-based Finite Automata (MB-FA) which could achieve a great acceleration with little memory duplication. The basic idea of MB-FA is to store the original DFA in independent modules with a delicate algorithm so that inter-flow parallelism can be exploited to its largest scale. A full systematic design of MB-FA is presented, and support for rule update is also introduced. Evaluation experiments show that without any optimization, MB-FA can achieve an average speed-up of 20 times when the memory cost is almost the twice of original DFA.
This work is supported by NSFC (60625201, 60873250, 60903182), the Cultivation Fund of the Key Scientific and Technical Innovation Project, MoE, China (705003), the Specialized Research Fund for the Doctoral Program of Higher Education of China (20060003058), 863 high-tech project (2007AA01Z216,2007AA01Z468) and national innovation experiment program for university students.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Navarro, G., Raffinot, M.: Flexible PatternMatching in Strings-Practical On-Line Search Algorithms for Texts and Biological Sequences. Cambridge Univ. Press, Cambridge (2002)
Coit, C.J., Staniford, S., McAlerney, J.: Towards faster string matching for intrusion detection or exceeding the speed of snort. In: Proc. DARPA Information Survivability Conf. Exposition (DISCEX II 2001), pp. 367–373 (2001)
Fisk, M., Varghese, G.: Fast content-based packet handling for intrusion detection. UCSD, UCSD Tech. Rep. CS2001–0670 (2001)
Anagnostakis, K.G., Markatos, E.P., Antonatos, S., Polychronakis, M.: E2XB: A domain-specific string matching algorithm for intrusion detection. In: presented at the 18th IFIP Int. Information Security Conf., Athens, Greece (2003)
Liu, R.T., Huang, N.F., Chen, C.H., Kao, C.N.: A fast string-match algorithm for network processor-based network intrusion detection system. ACM Trans. Embedded Comput. Syst. 3, 614–633 (2004)
Aho, A.V., Corasick, M.J.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6), 333–340 (1975)
Walter, B.C.: A string matching algorithm fast on the average. In: Maurer, H.A. (ed.) ICALP 1979. LNCS, vol. 71, pp. 118–132. Springer, Heidelberg (1979)
Snort (2009), http://www.snort.org/
ClamAV, http://www.clamav.net/
Song, T., Zhang, W., Wang, D., Xue, Y.: A memory efficient multiple pattern matching architecture for network security. In: IEEE INFOCOM (2008)
Lu, H., Zheng, K., Liu, B., Zhang, X., Liu, Y.: A memory-efficient parallel string matching architecture for high-speed intrusion detection. IEEE JSACÂ 24(10) (2006)
Dharmapurikar, S., Lockwood, J.W.: Fast and scalable pattern matching for network intrusion detection systems. IEEE JSACÂ 24(10) (2006)
van Lunteren, J.: High-performance pattern-matching for intrusion detection. In: IEEE INFOCOM (2006)
Tan, L., Sherwood, T.: A high throughput string matching architecture for intrusion detection and prevention. In: ISCA (2005)
Fang, Y., Katz, R.H., Lakshman, T.V.: Gigabit rate packet pattern matching using tcam. In: IEEE ICNP (2004)
Hua, N., Song, H., Lakshman, T.V.: Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection. In: IEEE INFOCOM (2009)
Brodie, B.C., Taylor, D.E., Cytron, R.K.: A scalable architecture for high-throughput regular-expression pattern matching. In: ISCA (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jiang, J., Tang, Y., Wang, X., Liu, B. (2009). Module-Based Finite Automata: A Scalable and Memory-Efficient Architecture for Multi-pattern Matching in Deep Packet Inspection. In: Ślęzak, D., Kim, Th., Chang, A.CC., Vasilakos, T., Li, M., Sakurai, K. (eds) Communication and Networking. FGCN 2009. Communications in Computer and Information Science, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10844-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-10844-0_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10843-3
Online ISBN: 978-3-642-10844-0
eBook Packages: Computer ScienceComputer Science (R0)