Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compact DFA Structure for Multiple Regular Expressions Matching

Published byMarshall Griffin Tyler Modified over 5 years ago

Similar presentations

Presentation on theme: "Compact DFA Structure for Multiple Regular Expressions Matching"— Presentation transcript:

1 Compact DFA Structure for Multiple Regular Expressions Matching
2019/5/5 Compact DFA Structure for Multiple Regular Expressions Matching Author: Wei Lin , Yi Tang, Bin Liu, Derek Pao and XiaoFei Wang Conference: IEEE ICC, 2009 Presenter: Kuan-Chieh Feng Date: 2017/02/15 Department of Computer Science and Information Engineering National Cheng Kung University CSIE CIAL Lab 1

2 Outline Introduction CPDFA Architecture Performance Evaluation
National Cheng Kung University CSIE Computer & Internet Architecture Lab

3 Introduction New applications such as real-time deep packet inspection require high-speed regular expression matcher. The number of regex is increasing to several thousands. The Snort HTTP signature set will result in a DFA larger than 15GB. National Cheng Kung University CSIE Computer & Internet Architecture Lab

4 Introduction According to statistics of regexes in Snort and L7-filter rules, transitions from each state to its next states are not evenly distributed. The summation of transitions from each state to its top three most popular next states takes about 90% of all the transitions. National Cheng Kung University CSIE Computer & Internet Architecture Lab

5 Introduction About 90% transitions will go to the top three most popular next states. The remaining transitions are further optimized to store more compactly and access more efficiently. K parallel SRAMs with different size are used to hold a majority of the remaining transitions. CPDFA uses pipelined architecture implemented in FPGA National Cheng Kung University CSIE Computer & Internet Architecture Lab

6 CPDFA Architecture Original DFA
2019/5/5 CPDFA Architecture Original DFA 假設將所有input character classes分為十種 並且根據其順序排列 數量前三多的state會先被歸類出來 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

7 CPDFA Architecture Indirect Table
2019/5/5 CPDFA Architecture Indirect Table 直列為state ID 橫列character classes 00 代表往最多的state transition 01 代表往第二多的 10代表往第三多的 00 代表不屬於前三多的transition National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

8 CPDFA Architecture Because the three most significant next states for each state are different, a transition output table is used to record the three most significant next states for each state. Let the number of states be M and the size of a state ID be L bits. The transition output table can be organized as M rows by 3 x L bits wide National Cheng Kung University CSIE Computer & Internet Architecture Lab

9 CPDFA Architecture Transition Output Table
2019/5/5 CPDFA Architecture Transition Output Table 查完indirect table後 接著要查transition output table National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

10 CPDFA Architecture The offset obtained from indirect index table can be used to choose one of the three next state IDs of the selected row. In this way, transitions from each state to its top three most popular next states can be stored and accessed efficiently. National Cheng Kung University CSIE Computer & Internet Architecture Lab

11 CPDFA Architecture The remaining transitions of each state are stored and accessed in different way according to whether the number of the remaining transitions of each state is more than K or not. National Cheng Kung University CSIE Computer & Internet Architecture Lab

12 CPDFA Architecture If the number of remaining transitions of a state is not more than K (K=4), the states will be arranged in descending order based on the number of remaining transitions of the state, and the transitions of the same state will be stored at the same address in different SRAMs from left to right. National Cheng Kung University CSIE Computer & Internet Architecture Lab

13 2019/5/5 CPDFA Architecture The state ID is used as index to access the same address of multiple SRAMs 例如state A 只有一條outgoing transition 從A到E 則會被存在SRAM1 讀取石透過state ID來index SRAM的位置並且找出transition National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

14 2019/5/5 CPDFA Architecture If the number of remaining transitions for a state is more than K, the transitions will be stored in a direct transition table (DTT). The row index is the state ID, and the column index is the input character class. The table entry is the next state information. For example, excluding the outgoing transitions from B to {F, G, H}, if the number of outgoing transitions for state B is more than K (K=4), one entry in DTT will be used to store these remaining outgoing transitions for state B National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

15 CPDFA Architecture Direct Transition Table
National Cheng Kung University CSIE Computer & Internet Architecture Lab

16 CPDFA Architecture Storage Estimation M : # of state in DFA
2019/5/5 CPDFA Architecture Storage Estimation M : # of state in DFA L : size of state ID N : remaining transition less than K X : number of character classes M : # of state in DFA L : size of state ID N : remaining transition less than K X : number of character classes National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

17 CPDFA Architecture State ID Assignment
National Cheng Kung University CSIE Computer & Internet Architecture Lab

18 CPDFA Architecture In order to share the above four tables with multiple DFAs, each DFA will be allocated a section of address space in each table and each DFA will record its starting address in each table. National Cheng Kung University CSIE Computer & Internet Architecture Lab

19 2019/5/5 CPDFA Architecture Search會根據input character與current state來分辨 假如current state ID小於N的話 indirect table與K parallel sram會被同時讀取 假如大或小於N則會讀取indirect table與DTT 這個系統可以透過增加delay register來形成pipeline的架構,而throughput就是每讀取一個字元需要做幾次memory access National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

20 CPDFA Architecture By using the indirect index to represent transitions to top three most popular next states, about 90% transitions can be represented more compactly and efficiently. The remaining transitions of each state are stored in K parallel SRAMs or DTT, which further reduced the storage requirement to represent DFA transitions. National Cheng Kung University CSIE Computer & Internet Architecture Lab

21 Performance Evaluation
2019/5/5 Performance Evaluation 1 R-trans: remaining transitions except transitions to top 3 most popular next states. 2 K: the default value is set to 10. 3 TOP-3: Transitions from each state to its top three most popular next states 4 L: L7-filter rules group. 5 S: Snort rules group National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

22 Performance Evaluation
National Cheng Kung University CSIE Computer & Internet Architecture Lab

23 Performance Evaluation
National Cheng Kung University CSIE Computer & Internet Architecture Lab

Download ppt "Compact DFA Structure for Multiple Regular Expressions Matching"

Similar presentations

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.
Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems Authors : Yang, Y.E., Prasanna, V.K. Yang, Y.E. Prasanna, V.K. Publisher : Parallel.

Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems Authors : Yang, Y.E., Prasanna, V.K. Yang, Y.E. Prasanna, V.K. Publisher : Parallel.
An Efficient Regular Expressions Compression Algorithm From A New Perspective Authors : Tingwen Liu,Yifu Yang,Yanbing Liu,Yong Sun,Li Guo Tingwen LiuYifu.

An Efficient Regular Expressions Compression Algorithm From A New Perspective Authors : Tingwen Liu,Yifu Yang,Yanbing Liu,Yong Sun,Li Guo Tingwen LiuYifu.
Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
Design of High Performance Pattern Matching Engine Through Compact Deterministic Finite Automata Department of Computer Science and Information Engineering.

Design of High Performance Pattern Matching Engine Through Compact Deterministic Finite Automata Department of Computer Science and Information Engineering.
Scalable IPv6 Lookup/Update Design for High-Throughput Routers Authors: Chung-Ho Chen, Chao-Hsien Hsu, Chen -Chieh Wang Presenter: Yi-Sheng, Lin ( 林意勝.

Scalable IPv6 Lookup/Update Design for High-Throughput Routers Authors: Chung-Ho Chen, Chao-Hsien Hsu, Chen -Chieh Wang Presenter: Yi-Sheng, Lin ( 林意勝.
1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.

1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.
Pipelined Architecture For Multi-String Match Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

Pipelined Architecture For Multi-String Match Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,

Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,
Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.
High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.

High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.
Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.
Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.

Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
SI-DFA: Sub-expression Integrated Deterministic Finite Automata for Deep Packet Inspection Authors: Ayesha Khalid, Rajat Sen†, Anupam Chattopadhyay Publisher:

SI-DFA: Sub-expression Integrated Deterministic Finite Automata for Deep Packet Inspection Authors: Ayesha Khalid, Rajat Sen†, Anupam Chattopadhyay Publisher:
A Regular Expression Matching Algorithm Using Transition Merging Department of Computer Science and Information Engineering National Cheng Kung University,

A Regular Expression Matching Algorithm Using Transition Merging Department of Computer Science and Information Engineering National Cheng Kung University,
A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,
EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.

EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.
Pattern-Based DFA for Memory- Efficient and Scalable Multiple Regular Expression Matching Author: Junchen Jiang, Yang Xu, Tian Pan, Yi Tang, Bin Liu Publisher:IEEE.

Pattern-Based DFA for Memory- Efficient and Scalable Multiple Regular Expression Matching Author: Junchen Jiang, Yang Xu, Tian Pan, Yi Tang, Bin Liu Publisher:IEEE.

Similar presentations

Ads by Google