Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007."— Presentation transcript:

1 Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, guo}@cs.ucr.edu CSE Dept, UC Riverside 03/14/2007

2 Outline Motivation Motivation Background and challenges Background and challenges Evaluation metrics Evaluation metrics Algorithm comparison Algorithm comparison Implementation details Implementation details –Regular expression –DFA & NFA –Detection engine Result Result Future work Future work

3 Motivation A class of packet processing applications need to inspect packets deeper than the protocol headers and analyze its payload A class of packet processing applications need to inspect packets deeper than the protocol headers and analyze its payload –Network Security –HTTP load balancing –XML processing –Content-based billing and forwarding

4 Deep Packet Inspection (DPI) Shallow packet inspection Shallow packet inspection –Checks the header portion of a packet only Deep packet inspection Deep packet inspection –A form of computer network packet filtering that examines the data part of a through- passing packet, searching for non-protocol compliance or predefined criteria to decide if the packet can pass

5 Challenges for DPI Operates at wire speed Operates at wire speed Large number of signatures (i.e. string patterns) Large number of signatures (i.e. string patterns) Patterns highly complex and have overlaps Patterns highly complex and have overlaps Location of signatures is unknown Location of signatures is unknown

6 DPI Evaluation Metrics Packet processing rate Memory requirement –SRAM, DRAM, TCAM Power consumption –TCAM Scalability –The time to process new signatures and insert them into the system

7 DPI Algorithms Fixed string matching Fixed string matching –Parallel Boyer-Moore (BM) –Aho-Corasick Boyer-Moore (AC_BM) –Setwise Boyer-Moore-Horspool –Bloom Filter –CAM Based Regular expression matching Regular expression matching –Deterministic Finite Automation (DFA) –Non-deterministic Finite Automation (NFA)

8 Regular Expression (RE) Expressive power and flexibility for describing useful patterns – –Linux Application Protocol Classifier (L7-filter) – –the Snort intrusion detection system (1131 out of 4867 rules using regular expressions as of February 2006)

9 Example of RE “^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80”

10 DFA Vs. NFA Performance comparison Performance comparison –For 1 RE with length n DFA DFA –Higher processing speed –Acceptable construction time and memory consumption with lazy-DFA (DFA+NFA) –More efficient in software implementation Construction Time Processing Complexity Space Complexity NFAO(n)O(n^2)O(n) DFAO(2^n)O(1)O(2^n)

11 Project Architecture

12 Detection Engine Content Scanner 1 Content Scanner 2 … Content Scanner 16 Dispatcher Incoming Streams outgoing Streams RE1 DFA RE2 DFA RE3 DFA RE8 DFA Input buffer

13 Detection Engine Setup # of Content Scanner (optimal) # of Content Scanner (optimal) –SRAM 128bits (input) –Processing unit: 8bits/char –Processing power: 128/8 = 16 chars/cycle # of REs for each Content Scanner # of REs for each Content Scanner –SRAM 128bits (output) –Processing unit: 1bit (accept:1 else:0) –# of streams: 16 (best throughput) –Each stream could be processed with 128/16=8 REs concurrently

14 DFA Representation Input char 01…255 States 14257 211223 …3453 M124221

15 Environment on Grep application Input stream: 70MB file Input stream: 70MB file RE: RE: –For speed test: “[1-9]* [0-9]\.*[0-9]+” –For area test: “ –For area test: “U\.?S\.?(D\.?)?[\ ]*(\$[\ ]*)?([0- 9]+,[0-9]+,[0-9]+|[0-9]+\.[0-9]+\.[0-9]+|[0- 9]+(\.[0-9]+)?[\ ]*milli?on)”

16 Result Optimal throughput Optimal throughput –16 * 8bits * 200MHz = 25.6Gbps Processing speedup Processing speedup Logic consumption Logic consumption –9% Slice Flip-fllop –6% 4-input LUT Grep_FPGAGrep_originalSpeedup Real10.27176.1337.412 User3.74076.09620.346 sys5.4960.036-152.667

17 Future work SNORT SNORT –More powerful application Input stream preprocessing Input stream preprocessing –TCP/IP packet –Packet arrival interval latency

18 Special thanks to John and Betul for the instruction on ISE and ROCCC Special thanks to John and Betul for the instruction on ISE and ROCCC

Download ppt "Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.
Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.

Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:
Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman
ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.

ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.

Similar presentations

Ads by Google