Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman"— Presentation transcript:

1 1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz {fyu,randy}@eecs.berkeley.edu T. V. Lakshman lakshman@research.bell-labs.com

2 2 Outline Pattern matching is a crucial component of network intrusion detection system  Thousands of patterns  Require high rate (e.g. gigabit)  Current software based pattern matching algorithms is not sufficient Use Ternary Content Addressable Memory (TCAM) for fast pattern matching  Straight-forward solution  Support for long patterns, patterns with correlations, and patterns with negation  Speedup to multi-gigabit rate

3 3 Pattern Matching Single pattern matching  Given an input string P and a pattern string T, whether T appears in P? Multiple-pattern matching  Given an input string P and a set of pattern strings T 1, T 2, …T m, whether any T i appear in P?

4 4 Applications of Pattern Matching Anti-virus software Bio-informatics: searching for gene patterns Intrusion detection system (E.g. Snort, Bro )  Thousands of patterns  Patterns with correlations “abc” followed by “cde” within 3 bytes  Patterns with negation “user” not followed by “|0a|” within 10 bytes  Gigabit scan rate

5 5 Current Pattern Matching Algorithms Boyer-Moore  For single pattern matching  Number of comparisons is linear to the input string length Aho-Corasick  Build finite automaton for multiple pattern matching  linear number of comparisons  Cons: Need to compile every time new patterns are added or deleted Large automaton (>1G) may not fit in fast memory (SRAM) Set-wise Boyer-Moore  Restore the reverse pattern in a trie for multiple pattern matching  linear number of comparisons  Similar cons as Aho-corasick

6 6 Ternary-CAM (TCAM) Each cell takes three logic states  ‘0’, ‘1’, and ‘?’(don’t care) Fully associative memory: compares input string with all the entries in parallel  If multiple matches, report index of the first match Current TCAM technology  Fast Match Time: 4-8 ns  Size: 1M 1K entries * 1K bytes per entry 2K entries * 512 bytes per entry

7 7 Pattern Matching with TCAM Put all the patterns into the TCAM  Assume patterns are less or equal to TCAM width  If shorter than TCAM width, pad with ‘?’  Order the patterns according reverse lengths When matching entry ABC, report matching of both pattern ABC and AB Shift one byte each time

8 8 Analysis Scan speed:  4-8 ns per TCAM lookup, shift one byte at a time  1-2 Gbps worst case scan rate Able to report occurrences of all the patterns in the input string Limitation: require all the patterns to be shorter or equal than the TCAM width

9 9 Long Patterns What if pattern is longer than the width of TCAM? Split it into multiple partial patterns For example, TCAM width k=4 Pattern index Pattern content 1ABCDAA 2BCDAK 3BCDAAAB

10 10 Partial Hit list for Long Patterns Use a table to store the partial hit pattern  Keep matches at previous k positions Partial Hit List PositionMatched entry [1,4]ABCD PositionMatched entry PositionMatched entry [1,4]ABCD [2,5]BCDA

11 11 Concatenate Partial Patterns into Long Patterns When finding another pattern at position [i, i+k-1],  Check the combination with match at [i-k, i-1] Patterns: ABCDAA, BCDAK, BCDAAAB Matching Table First Match Second Match Matching pattern ABCD No match ABCDBCDANo match ABCDAAB?ABCDAA ABCDAA??ABCDAA BCDAABCDNo match Partial Hit List PositionMatched entry [1,4]ABCD PositionMatched entry PositionMatched entry [2,5]BCDA PositionMatched entry [6,9]ABCD

12 12 Correlated Patterns Correlated patterns: one pattern after another pattern  E.g. “ABCD” followed by “DEF” within 4 bytes Similar to long patterns  The distance between two partial patterns for long pattern is = k  The distance between correlated pattern >= 1  If find pattern matching at position [i, i+k], Need to check all the previous matches in the partial hit list If partial hit list is large  problem! Partial Hit List PositionMatched Entry [1,4]ABCD

13 13 Patterns with Negation In snort rule set, there are following rules:  content : "USER" ; content : !"|0a|" ; within : 50 ; Similar to regular correlated patterns  When matching “USER”, add it to partial list  When matching "|0a|", remove “USER” from partial list  If no match of "|0a|" in 50 bytes, report hit of full pattern Need to maintain a lifetime for entries in partial list

14 14 Statistical Analysis of Partial Hit Table Size Assume random input string, random independent patterns Parameters  Input string size: m bytes  Number of patterns: n  Pattern size: k bytes Chances of a matching at position [0, k-1] is There are at most m positions, so average hit is Suppose an bad case: m = 2^10, n=2^11, k=3, then average hit is 2^-3  Partial hit list table size<1

15 15 Malicious Attack? Any made-up input string can match one pattern at position [i, i+k] and another at position [i+j, i+k+j] ?  When j = 1, probability is:  low when k>4  When j increases, the probability increases. If j=k, then probability =1 To protect against malicious attack, we want to limit the size of partial hit list  Window: limit the distance between two correlated patterns  On-going research

16 16 Speed up to Multi-gigabit Rate Instead of shift one byte at a time, shift s bytes each time  Put each pattern s times in the TCAM at different positions  Need to put extra entry (ABCD) for overlapped pattern: ABC and BCD. Analysis for speed up of s times  Roughly s times original TCAM entries Overlapped patterns are few when pattern length k is large  Matching table kept in memory is s 2 original size  More patterns cut into partial patterns  Suggest s to be small (e.g. <=5)

17 17 Conclusion and Future Work Multiple pattern matching with TCAM can:  Support all the pattern matching in Snort Search for thousands patterns in parallel Support long patterns, correlated patterns, and also patterns with negation Can report all the occurrences of all the patterns in the input string Can’t do other function like byte jump, byte test etc  Bring Anti-virus scan speed to gigabit rate Initial analytical results will be shown in poster session Future work  Analyze on the cost of insertion and deletion of patterns  Further analysis on the partial list hit window size  Further extensive simulation to test the scheme

18 18 Backup Slides

19 19 Memory Technology (2003-04) TechnologySingle chip density $/chip ($/MByte) Access speed Watts/ch ip Networking DRAM 64 MB$30-$50 ($0.50-$0.75) 40-80ns0.5-2W SRAM4 MB$20-$30 ($5-$8) 4-8ns1-3W TCAM1 MB$200-$250 ($200-$250) 4-8ns15-30W Note: Price, speed and power are manufacturer and market dependent. Pankaj Gupta, “Address Lookup and Classification”

20 20 Software Based Algorithm v.s. TCAM Suppose 2K patterns, average of 16 bytes Software Based Algorithm using DFA  O(2K*16) = O(2^15) states  2^8 next byte possibility  O(2^23) entries, each entry O(log(2^15))= 2Bytes  16M memory Won’t fit in fast SRAM If put in DRAM, max throughput is 200Mbps TCAM approach  2K*16 = 32K bytes

Download ppt "1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman"

Similar presentations

Gigabit Rate Packet Pattern-Matching Using TCAM

Gigabit Rate Packet Pattern-Matching Using TCAM
Liron Schiff * (TAU) Joint work with Yehuda Afek, Anat Bremler-Barr (TAU) (IDC) Recursive Design of Hardware Priority Queues Supported by European Research.

Liron Schiff * (TAU) Joint work with Yehuda Afek, Anat Bremler-Barr (TAU) (IDC) Recursive Design of Hardware Priority Queues Supported by European Research.
August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta

August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta
Fast Updating Algorithms for TCAMs Devavrat Shah Pankaj Gupta IEEE MICRO, Jan.-Feb. 2001.

Fast Updating Algorithms for TCAMs Devavrat Shah Pankaj Gupta IEEE MICRO, Jan.-Feb
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu
ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.

ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.
SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.

SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.
An Efficient IP Lookup Architecture with Fast Update Using Single-Match TCAMs Author: Jinsoo Kim, Junghwan Kim Publisher: WWIC 2008 Presenter: Chen-Yu.

An Efficient IP Lookup Architecture with Fast Update Using Single-Match TCAMs Author: Jinsoo Kim, Junghwan Kim Publisher: WWIC 2008 Presenter: Chen-Yu.
1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

Similar presentations

Ads by Google