Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Slides:



Advertisements
Similar presentations
Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection Nan Hua 1, Haoyu Song 2, T. V. Lakshman 2 1 Georgia Tech, 2 Bell Labs, Alcatel-Lucent.
Advertisements

August 8 th, 2011 Kevan Thompson Creating a Scalable Coherent L2 Cache.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Segmented Hash: An Efficient Hash Table Implementation for High Performance Networking Subsystems Sailesh Kumar Patrick Crowley.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
NET-REPLAY: A NEW NETWORK PRIMITIVE Ashok Anand Aditya Akella University of Wisconsin, Madison.
 Author: Tsern-Huei Lee  Publisher: 2009 IEEE Transation on Computers  Presenter: Yuen-Shuo Li  Date: 2013/09/18 1.
Department of Computer Science and Engineering Applied Research Laboratory 1 A Hardware Based TCP/IP Processing Engine David V. Schuehler
Sarang Dharmapurikar With contributions from : Praveen Krishnamurthy,
CSE7701: Research Seminar on Networking
Fast and deterministic hash table lookup using discriminative bloom filters  Author: Kun Huang, Gaogang Xie,  Publisher: 2013 ELSEVIER Journal of Network.
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan, Timothy Sherwood Appeared in ISCA 2005 Presented by: Sailesh.
Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.
Applied research laboratory David E. Taylor Users Guide: Fast IP Lookup (FIPL) in the FPX Gigabit Kits Workshop 1/2002.
Author : Ozgun Erdogan and Pei Cao Publisher : IEEE Globecom 2005 (IJSN 2007) Presenter : Zong-Lin Sie Date : 2010/12/08 1.
1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley,
Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.
Design of a System for Real- Time Worm Detection Bharath Madhusudan, John Lockwood Department of Computer Science and Engineering Washington University,
CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon Joint work with Iddo Hanniel and Isaac Keslassy Technion, Israel 1.
1 A 3Gbps/30K-Rule Virus-Detection Processor Embedded with Adaptively Dividable Dual-Port BiTCAM for Mobile Devices  People can easily get information.
Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.
Space-Time Tradeoffs in Software-Based Deep Packet Inspection Anat Bremler-Barr Yotam Harchol ⋆ David Hay IDC Herzliya, Israel Hebrew University, Israel.
FPGA Based String Matching for Network Processing Applications Janardhan Singaraju, John A. Chandy Presented by: Justin Riseborough Albert Tirtariyadi.
Fast Packet Classification Using Bloom filters Authors: Sarang Dharmapurikar, Haoyu Song, Jonathan Turner, and John Lockwood Publisher: ANCS 2006 Present:
MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.
Efficient & Robust TCP Stream Normalization Mythili Vutukuru Joint work with Hari Balakrishnan and Vern Paxson.
Enabling Technologies (Chapter 1)  Understand the technology and importance of:  Virtualization  Cloud Computing  WAN Acceleration  Deep Packet Inspection.
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
Detecting Evasion Attack at High Speed without Reassembly.
A Resource Efficient Content Inspection System for Next Generation Smart NICs Karthikeyan Sabhanatarajan, Ann Gordon-Ross* The Energy Efficient Internet.
Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection Sailesh Kumar Sarang Dharmapurikar Fang Yu Patrick Crowley Jonathan.
TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.
Author : Sarang Dharmapurikar, John Lockwood Publisher : IEEE Journal on Selected Areas in Communications, 2006 Presenter : Jo-Ning Yu Date : 2010/12/29.
A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching Yao Song 11/05/2015.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.
A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:
Specialized Virtual Configurable Arrays Dominique Lavenier - Frederic Raimbault IRISA Rennes, France UBS Vannes, France
Accelerating Multi-Pattern Matching on Compressed HTTP Traffic Dr. Anat Bremler-Barr (IDC) Joint work with Yaron Koral (IDC), Infocom[2009]
NFV Compute Acceleration APIs and Evaluation
Snort – IDS / IPS.
CSE7701: Research Seminar on Networking
James Logan CS526 Dr. Chow April 29, 2009
Advanced Algorithms for Fast and Scalable Deep Packet Inspection
Secure Access Node: An FPGA-based Security Architecture for Access Networks The Sixth International Conference on Internet Monitoring and Protection (ICIMP.
Bloom Filters Very fast set membership. Is x in S? False Positive
SigMatch Fast and Scalable Multi-Pattern Matching
2019/1/3 Exscind: Fast Pattern Matching for Intrusion Detection Using Exclusion and Inclusion Filters Next Generation Web Services Practices (NWeSP) 2011.
Packet Classification Using Coarse-Grained Tuple Spaces
Similarity based deduplication
A flow aware packet sampling mechanism for high speed links
High Performance Pattern Matching using Bloom–Bloomier Filter
Presentation transcript:

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood

Sarang Dharmapurikar Motivation ●Deep packet inspection  Detection of Internet worms, computer viruses, SPAM, copyrighted material, Intrusion Detection/Prevention  Layer-7 switching  Content classification ●Needs fast string matching mechanism ●Some desirable features of the mechanism  String matching at line speed  Ability to detect strings at random locations in the payload  Ability to detect 1000s of strings  Ability to handle arbitrarily long strings

Sarang Dharmapurikar Aho-Corasick Algorithm ●Two Problems  At least 1 memory access per character (at the most 2) oSlows it down  Only one character at a time obottleneck s3 : tel s5 : phone s6 : elephant s4 : telephone s1 : technical s2 : technically l e p h a n q24 q25 q26 q27 q28 q29 q30 t q31 e l e p h o n e q12 q13 q14 q15 q16 q17 q18 q0 q1 t e c h n i q2 q3 q4 q5 q6 c a l q7 q8 q9 q11 y q10 l p h o n e q19 q20 q21 q22 q23

Sarang Dharmapurikar Why not use multiple engines? Engine 1 Engine 2 Engine 3 Engine 4 Incoming connections Each engine needs plenty of memory…. On-chip memory not practical We need a memory chip Multiple memory chips More pins, more power, more cost

Sarang Dharmapurikar Can we… ●Process Multiple characters at a time ●Without using multiple memory chips ? ●What if we have a small amount of on-chip memory?

Sarang Dharmapurikar Our Approach ●Modify Aho-Corasick to jump ahead by k characters  Jump Ahead Aho-CorasicK (JACK)-FA ●Represent JACK-FA as a hash table. Keep only one copy in the off-chip memory ●Keep k copies of the compressed & approximate JACK-FA hash table in on-chip memory  Use Bloom filters for approximate representation  Consumes very little memory Off-chip JACK-FA Data stream On-chip approximate JACK-FAs

Sarang Dharmapurikar JACK-FA s3 : tel s5 : phon e s6 : elep hant s4 : tele phon e s1 : tech nica l s2 : tech nica lly s3 : tel s5 : phone s6 : elephant s4 : telephone s1 : technical s2 : technically q0q0 q1q1 q5q5 tech nica s3, q 2 q6q6 tele phon q3q3 hant q4q4 S 6 q 7 elep s3s3 tel S 4, s 5 e s5s5 e s1s1 l lly S 1, s 2

Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l llye e S 1, s 2 w

Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l llye e S 1, s 2 w

Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l llye e S 1, s 2 w

Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l lly e e S 1, s 2 w

Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l lly e e S 1, s 2 w

Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l lly e e S 1, s 2 w

Sarang Dharmapurikar Why we need k JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l lly e e S 1, s 2

Sarang Dharmapurikar Speed up technxyzicallyab

Sarang Dharmapurikar Speed up technxyzicallyab A single machine in off-chip memory k approximte and compressed machines in on-chip memory Use Bloom filters

Sarang Dharmapurikar Tabular Representation hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l llye e S 1, s 2 [state, substr]Next StateMatching strFailure Chain [q 0, tech]q1q1 -q0q0 [q 0, tele]q2q2 S3S3 q0q0 [q 0, phon]q3q3 -q0q0 [q 0, elep]q4q4 -q0q0 [q 1, nica]q5q5 -q0q0 [q 2, phon]q6q6 -q 3, q 0 [q 4, hant]q7q7 S6S6 q0q0 [q 0, tel]-S3S3 -[q 3, e]-S5S5 - [q 5, lly]-S 1, S 2 - [q 5, l]-S1S1 -[q 6, e]- S 4, S 5 -

Sarang Dharmapurikar Implementation with Bloom Filters [state, substr]Next StateMatching strFailure Chain [q 0, tech]q1q1 -q0q0 [q 0, tele]q2q2 S3S3 q0q0 [q 0, phon]q3q3 -q0q0 [q 0, elep]q4q4 -q0q0 [q 1, nica]q5q5 -q0q0 [q 2, phon]q3q3 -q 3, q 0 [q 4, hant]q7q7 S6S6 q0q0 [q 0, tel]- S3S3 - [q 3, e]- S5S5 - [q 5, lly]- S 1, S 2 - [q 5, l]- S1S1 - [q 6, e]- S 4, S 5 - B4B3B1B2 q

Sarang Dharmapurikar Implementation with Bloom Filters [state, substr]Next StateMatching strFailure Chain [q 0, tech]q1q1 -q0q0 [q 0, tele]q2q2 S3S3 q0q0 [q 0, phon]q3q3 -q0q0 [q 0, elep]q4q4 -q0q0 [q 1, nica]q5q5 -q0q0 [q 2, phon]q3q3 -q 3, q 0 [q 4, hant]q7q7 S6S6 q0q0 [q 0, tel]- S3S3 - [q 3, e]- S5S5 - [q 5, lly]- S 1, S 2 - [q 5, l]- S1S1 - [q 6, e]- S 4, S 5 - B4B3B1B2 q1q1 B4B3B1B2 q2q2 B4B3B1B2 q3q3 B4B3B1B2 q4q4

Sarang Dharmapurikar Throughput with Snort strings ●Off-chip memory: 250 MHz QDR-SRAM, 64-bit wide ●String concentration: 1 in 100 characters ●2250 strings ●2 to 122 character strings

Sarang Dharmapurikar Conclusions ●Fast string matching is an important module for Content filtering applications ●Off-chip memory accesses slow down string matching ●A large fraction of memory accesses can be avoided  Using a small on-chip memory and Bloom filters ●Our accelerated Aho-Corasick algorithm  can process 2250 strings  with less than 50KB on-chip memory  At a speed of more than 10Gbps

Thanks! Questions ?

Sarang Dharmapurikar Motivation ●The multi-pattern matching algorithm works for short strings (16 bytes)  Hash computation over long strings becomes problematic  Some virus signatures can be several hundred bytes long  Snort’s longest string is 122 bytes

Sarang Dharmapurikar

Accelerated Aho-Corasick Algorithm ●How to support arbitrarily large strings? At the cost of more memory?  Break a long string into multiple smaller pieces  Stitch them in a state machine  Match individual segment and track the state machine q0q0 q1q1 q2q2 q3q3 tech nically Symbols Tail

Sarang Dharmapurikar Speed up technxyzicallyab s1s1 s2s2 s3s3 s4s4

Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

Sarang Dharmapurikar Aho-Corasick Algorithm ●Two Problems  At least 1 memory access per character (at the most 2) oSlows it down  Only one character at a time obottleneck s3 : tel s5 : phone s6 : elephant s4 : telephone s1 : technical s2 : technically q0 l e p h a n q24 q25 q26 q27 q28 q29 q30 t q31 q1 p e t e l c h n i e p h o n e q2 q3 q4 q5 q6 q12 q13 q14 q15 q16 q17 q18 c a l q7 q8 q9 q11 y q10 l h o n e q19 q20 q21 q22 q23

Sarang Dharmapurikar Bloom Filter X m-bit Array H1H1 H2H2 H3H3 H4H4 HkHk Bloom Filter

Sarang Dharmapurikar Bloom Filter Y m-bit Array H1H1 H2H2 H3H3 H4H4 HkHk

Sarang Dharmapurikar Bloom Filter X m-bit Array match H1H1 H2H2 H3H3 H4H4 HkHk

Sarang Dharmapurikar Bloom Filter W m-bit Array Match (false positive) H1H1 H2H2 H3H3 H4H4 HkHk

Sarang Dharmapurikar Speed up technxyzicallyab

Sarang Dharmapurikar Speed up technxyzicallyab

Sarang Dharmapurikar Bloom filter Bloom Filter Is x present in the filter? {No, Yes} Can be a false positive But false positive probability is very small…like Represents a set of strings Each string consumes very few bits…like 12 to 16 bits

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.