Compact DFA Structure for Multiple Regular Expressions Matching

Slides:

Advertisements

Similar presentations

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.

Advertisements

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems Authors : Yang, Y.E., Prasanna, V.K. Yang, Y.E. Prasanna, V.K. Publisher : Parallel.

An Efﬁcient Regular Expressions Compression Algorithm From A New Perspective Authors : Tingwen Liu,Yifu Yang,Yanbing Liu,Yong Sun,Li Guo Tingwen LiuYifu.

Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Design of High Performance Pattern Matching Engine Through Compact Deterministic Finite Automata Department of Computer Science and Information Engineering.

Scalable IPv6 Lookup/Update Design for High-Throughput Routers Authors: Chung-Ho Chen, Chao-Hsien Hsu, Chen -Chieh Wang Presenter: Yi-Sheng, Lin ( 林意勝.

1 Regular expression matching with input compression ： a hardware design for use within network intrusion detection systems Department of Computer Science.

Pipelined Architecture For Multi-String Match Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,

Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.

Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

SI-DFA: Sub-expression Integrated Deterministic Finite Automata for Deep Packet Inspection Authors: Ayesha Khalid, Rajat Sen†, Anupam Chattopadhyay Publisher:

A Regular Expression Matching Algorithm Using Transition Merging Department of Computer Science and Information Engineering National Cheng Kung University,

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.

Pattern-Based DFA for Memory- Efficient and Scalable Multiple Regular Expression Matching Author: Junchen Jiang, Yang Xu, Tian Pan, Yi Tang, Bin Liu Publisher:IEEE.

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:

StriD2FA Scalable Regular Expression Matching for Deep Packet Inspection Author ： Xiaofei Wang, Junchen Jiang, Yi Tang,Yi Wang,Bin Liu Xiaojun Wang Publisher.

DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.

Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.

TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.

A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:

Range Enhanced Packet Classification Design on FPGA Author: Yeim-Kuan Chang, Chun-sheng Hsueh Publisher: IEEE Transactions on Emerging Topics in Computing.

PC-TRIO: A Power Efficient TACM Architecture for Packet Classifiers Author: Tania Banerjee, Sartaj Sahni, Gunasekaran Seetharaman Publisher: IEEE Computer.

Parallel tree search: An algorithmic approach for multi- field packet classification Authors: Derek Pao and Cutson Liu. Publisher: Computer communications.

Cuckoo Filter: Practically Better Than Bloom Author: Bin Fan, David G. Andersen, Michael Kaminsky, Michael D. Mitzenmacher Publisher: ACM CoNEXT 2014 Presenter:

Packet Classification Using Dynamically Generated Decision Trees

LOP_RE: Range Encoding for Low Power Packet Classification Author: Xin He, Jorgen Peddersen and Sri Parameswaran Conference : IEEE 34th Conference on Local.

SRD-DFA Achieving Sub-Rule Distinguishing with Extended DFA Structure Author: Gao Xia, Xiaofei Wang, Bin Liu Publisher: IEEE DASC (International Conference.

Series DFA for Memory- Efficient Regular Expression Matching Author: Tingwen Liu, Yong Sun, Li Guo, and Binxing Fang Publisher: CIAA 2012( International.

Scalable Multi-match Packet Classification Using TCAM and SRAM Author: Yu-Chieh Cheng, Pi-Chung Wang Publisher: IEEE Transactions on Computers (2015) Presenter:

JA-trie: Entropy-Based Packet Classiﬁcation Author: Gianni Antichi, Christian Callegari, Andrew W. Moore, Stefano Giordano, Enrico Anastasi Conference.

A Multi-dimensional Packet Classification Algorithm Based on Hierarchical All-match B+ Tree Author: Gang Wang, Yaping Lin*, Jinguo Li, Xin Yao Publisher:

Reorganized and Compact DFA for Efficient Regular Expression Matching

2018/4/27 PiDFA : A Practical Multi-stride Regular Expression Matching Engine Based On FPGA Author: Jiajia Yang, Lei Jiang, Qiu Tang, Qiong Dai, Jianlong.

A DFA with Extended Character-Set for Fast Deep Packet Inspection

2018/6/26 An Energy-efficient TCAM-based Packet Classification with Decision-tree Mapping Author: Zhao Ruan, Xianfeng Li , Wenjun Li Publisher: 2013.

Regular Expression Matching in Reconfigurable Hardware

Statistical Optimal Hash-based Longest Prefix Match

2018/11/19 Source Routing with Protocol-oblivious Forwarding to Enable Efficient e-Health Data Transfer Author: Shengru Li, Daoyun Hu, Wenjian Fang and.

Dynamic Packet-filtering in High-speed Networks Using NetFPGAs

SigMatch Fast and Scalable Multi-Pattern Matching

Parallel Processing Priority Trie-based IP Lookup Approach

Scalable Memory-Less Architecture for String Matching With FPGAs

Binary Prefix Search Author: Yeim-Kuan Chang

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

2019/1/3 Exscind: Fast Pattern Matching for Intrusion Detection Using Exclusion and Inclusion Filters Next Generation Web Services Practices (NWeSP) 2011.

Memory-Efficient Regular Expression Search Using State Merging

Scalable Multi-Match Packet Classification Using TCAM and SRAM

A New String Matching Algorithm Based on Logical Indexing

2019/5/2 Using Path Label Routing in Wide Area Software-Defined Networks with OpenFlow ICNP = International Conference on Network Protocols Presenter：Hung-Yen.

2019/5/3 A De-compositional Approach to Regular Expression Matching for Network Security Applications Author: Eric Norige Alex Liu Presenter: Yi-Hsien.

2019/5/5 A Flexible Wildcard-Pattern Matching Accelerator via Simultaneous Discrete Finite Automata Author: Hsiang-Jen Tsai, Chien-Chih Chen, Yin-Chi Peng,

Pipelined Architecture for Multi-String Matching

Power-efficient range-match-based packet classification on FPGA

Authors: A. Rasmussen, A. Kragelund, M. Berger, H. Wessing, S. Ruepp

A Hybrid IP Lookup Architecture with Fast Updates

2019/9/3 Adaptive Hashing Based Multiple Variable Length Pattern Search Algorithm for Large Data Sets 比對 Simple Pattern 的方法是基於 Hash 並且可以比對不同長度的 Pattern。

A SRAM-based Architecture for Trie-based IP Lookup Using FPGA

2019/10/9 Regular Expression Matching for Reconfigurable Constraint Repetition Inspection Authors : Miad Faezipour and Mehrdad Nourani Publisher : IEEE.

Authors: Ding-Yuan Lee, Ching-Che Wang, An-Yeu Wu Publisher: 2019 VLSI

Packet Classification Using Binary Content Addressable Memory

2019/11/12 Efficient Measurement on Programmable Switches Using Probabilistic Recirculation Presenter：Hung-Yen Wang Authors：Ran Ben Basat, Xiaoqi Chen,

Presentation transcript:

Compact DFA Structure for Multiple Regular Expressions Matching 2019/5/5 Compact DFA Structure for Multiple Regular Expressions Matching Author: Wei Lin , Yi Tang, Bin Liu, Derek Pao and XiaoFei Wang Conference: IEEE ICC, 2009 Presenter: Kuan-Chieh Feng Date: 2017/02/15 Department of Computer Science and Information Engineering National Cheng Kung University CSIE CIAL Lab 1

Outline Introduction CPDFA Architecture Performance Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

Introduction New applications such as real-time deep packet inspection require high-speed regular expression matcher. The number of regex is increasing to several thousands. The Snort HTTP signature set will result in a DFA larger than 15GB. National Cheng Kung University CSIE Computer & Internet Architecture Lab

Introduction According to statistics of regexes in Snort and L7-filter rules, transitions from each state to its next states are not evenly distributed. The summation of transitions from each state to its top three most popular next states takes about 90% of all the transitions. National Cheng Kung University CSIE Computer & Internet Architecture Lab

Introduction About 90% transitions will go to the top three most popular next states. The remaining transitions are further optimized to store more compactly and access more efficiently. K parallel SRAMs with different size are used to hold a majority of the remaining transitions. CPDFA uses pipelined architecture implemented in FPGA National Cheng Kung University CSIE Computer & Internet Architecture Lab

CPDFA Architecture Original DFA 2019/5/5 CPDFA Architecture Original DFA 假設將所有input character classes分為十種並且根據其順序排列數量前三多的state會先被歸類出來 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

CPDFA Architecture Indirect Table 2019/5/5 CPDFA Architecture Indirect Table 直列為state ID 橫列character classes 00 代表往最多的state transition 01 代表往第二多的 10代表往第三多的 00 代表不屬於前三多的transition National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

CPDFA Architecture Because the three most significant next states for each state are different, a transition output table is used to record the three most significant next states for each state. Let the number of states be M and the size of a state ID be L bits. The transition output table can be organized as M rows by 3 x L bits wide National Cheng Kung University CSIE Computer & Internet Architecture Lab

CPDFA Architecture Transition Output Table 2019/5/5 CPDFA Architecture Transition Output Table 查完indirect table後接著要查transition output table National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

CPDFA Architecture The offset obtained from indirect index table can be used to choose one of the three next state IDs of the selected row. In this way, transitions from each state to its top three most popular next states can be stored and accessed efficiently. National Cheng Kung University CSIE Computer & Internet Architecture Lab

CPDFA Architecture The remaining transitions of each state are stored and accessed in different way according to whether the number of the remaining transitions of each state is more than K or not. National Cheng Kung University CSIE Computer & Internet Architecture Lab

CPDFA Architecture If the number of remaining transitions of a state is not more than K (K=4), the states will be arranged in descending order based on the number of remaining transitions of the state, and the transitions of the same state will be stored at the same address in different SRAMs from left to right. National Cheng Kung University CSIE Computer & Internet Architecture Lab

2019/5/5 CPDFA Architecture The state ID is used as index to access the same address of multiple SRAMs 例如state A 只有一條outgoing transition 從A到E 則會被存在SRAM1 讀取石透過state ID來index SRAM的位置並且找出transition National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/5/5 CPDFA Architecture If the number of remaining transitions for a state is more than K, the transitions will be stored in a direct transition table (DTT). The row index is the state ID, and the column index is the input character class. The table entry is the next state information. For example, excluding the outgoing transitions from B to {F, G, H}, if the number of outgoing transitions for state B is more than K (K=4), one entry in DTT will be used to store these remaining outgoing transitions for state B National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

CPDFA Architecture Direct Transition Table National Cheng Kung University CSIE Computer & Internet Architecture Lab

CPDFA Architecture Storage Estimation M : # of state in DFA 2019/5/5 CPDFA Architecture Storage Estimation M : # of state in DFA L : size of state ID N : remaining transition less than K X : number of character classes M : # of state in DFA L : size of state ID N : remaining transition less than K X : number of character classes National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

CPDFA Architecture State ID Assignment National Cheng Kung University CSIE Computer & Internet Architecture Lab

CPDFA Architecture In order to share the above four tables with multiple DFAs, each DFA will be allocated a section of address space in each table and each DFA will record its starting address in each table. National Cheng Kung University CSIE Computer & Internet Architecture Lab

2019/5/5 CPDFA Architecture Search會根據input character與current state來分辨假如current state ID小於N的話 indirect table與K parallel sram會被同時讀取假如大或小於N則會讀取indirect table與DTT 這個系統可以透過增加delay register來形成pipeline的架構，而throughput就是每讀取一個字元需要做幾次memory access National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

CPDFA Architecture By using the indirect index to represent transitions to top three most popular next states, about 90% transitions can be represented more compactly and efficiently. The remaining transitions of each state are stored in K parallel SRAMs or DTT, which further reduced the storage requirement to represent DFA transitions. National Cheng Kung University CSIE Computer & Internet Architecture Lab

Performance Evaluation 2019/5/5 Performance Evaluation 1 R-trans: remaining transitions except transitions to top 3 most popular next states. 2 K: the default value is set to 10. 3 TOP-3: Transitions from each state to its top three most popular next states 4 L: L7-filter rules group. 5 S: Snort rules group National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Performance Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

Performance Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab