Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
129 tokens/sec
GPT-4o
28 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

XAV: A High-Performance Regular Expression Matching Engine for Packet Processing (2403.16533v1)

Published 25 Mar 2024 in cs.NI

Abstract: Regular expression matching is the core function of various network security applications such as network intrusion detection systems. With the network bandwidth increases, it is a great challenge to implement regular expression matching for line rate packet processing. To this end, a novel scheme named XAV targeting high-performance regular expression matching is proposed in this paper. XAV first employs anchor DFA to tackle the state explosion problem of DFA. Then based on anchor DFA, two techniques including pre-filtering and regex decomposition are utilized to improve the average time complexity. Through implementing XAV with an FPGA-CPU architecture, comprehensive experiments show that a high matching throughput of up to 75 Gbps can be achieved for the large and complex Snort rule-set. Compared to state-of-the-art software schemes, XAV achieves two orders of magnitude of performance improvement. While compared to state-of-the-art FPGA-based schemes, XAV achieves more than 2.5x performance improvement with the same hardware resource consumption.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (54)
  1. hxdp: Efficient software packet processing on fpga nics. Communications of the ACM, 65(8):92–100, 2022.
  2. Isolation mechanisms for {{\{{High-Speed}}\}}{{\{{Packet-Processing}}\}} pipelines. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 1289–1305, 2022.
  3. A survey on regular expression matching for deep packet inspection: Applications, algorithms, and hardware platforms. IEEE Communications Surveys & Tutorials, 18(4):2991–3029, 2016.
  4. Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia. In Acm/ieee Symposium on Architecture for Networking & Communications Systems, 2007.
  5. Deflating the big bang: Fast and scalable deep packet inspection with extended finite automata. In ACM, pages 207–218, 2008.
  6. Hyperscan: a fast multi-pattern regex matcher for modern cpus. In 16th {normal-{\{{USENIX}normal-}\}} Symposium on Networked Systems Design and Implementation ({normal-{\{{NSDI}normal-}\}} 19), pages 631–648, 2019.
  7. High-performance and compact architecture for regular expression matching on fpga. IEEE Transactions on Computers, 61(7):1013–1025, 2012.
  8. A high-performance round-robin regular expression matching architecture based on fpga. In 2018 IEEE Symposium on Computers and Communications (ISCC), pages 1–7. IEEE, 2018.
  9. FPGA-CPU Architecture Accelerated Regular Expression Matching With Fast Preprocessing. The Computer Journal, 10 2022. bxac138.
  10. Achieving 100gbps intrusion prevention on a single server. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20), pages 1083–1100, 2020.
  11. Fidas: Fortifying the cloud via comprehensive fpga-based offloading for intrusion detection: Industrial product. In Proceedings of the 49th Annual International Symposium on Computer Architecture, ISCA ’22, page 1029–1041, New York, NY, USA, 2022. Association for Computing Machinery.
  12. Chain-based dfa deflation for fast and scalable regular expression matching using tcam. In Acm/ieee Seventh Symposium on Architectures for Networking & Communications Systems, 2011.
  13. Impala: Algorithm/architecture co-design for in-memory multi-stride pattern matching. In 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2020.
  14. Intelligent systems in latest dfa compression methods for dpc. In Handbook of Research on Evolving Designs and Innovation in ICT and Intelligent Systems for Real-World Applications, pages 129–146. IGI Global, 2022.
  15. K Kumar et al. Network intrusion detection system in latest dfa compression methods for deep packet scruting. In Design, Applications, and Maintenance of Cyber-Physical Systems, pages 219–243. IGI Global, 2021.
  16. Enabling fast and memory-efficient acceleration for pattern matching workloads: The lightweight automata processing engine. IEEE Transactions on Computers, 72(4):1011–1025, 2022.
  17. Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In ACM, pages 339–350, 2006.
  18. M. Becchi and P. Crowley. A-dfa: A time- and space-efficient dfa compression algorithm for fast regular expression evaluation. ACM Transactions on Architecture and Code Optimization, 10(1):1–26, 2013.
  19. Design and optimizations for efficient regular expression matching in dpi systems. Computer Communications, 61(may 1):103–120, 2015.
  20. An improved dfa for fast regular expression matching. Acm Sigcomm Computer Communication Review, 38(5):29–40, 2008.
  21. Hes: Highly efficient and scalable technique for matching regex patterns. In Proceedings of the 2018 2nd High Performance Computing and Cluster Technologies Conference, pages 69–78, 2018.
  22. A. X. Liu and E. Norige. A de-compositional approach to regular expression matching for network security. IEEE/ACM Transactions on Networking, PP(99):1–13, 2019.
  23. Automata processing in reconfigurable architectures: In-the-cloud deployment, cross-platform evaluation, and fast symbol-only reconfiguration. ACM Trans. Reconfigurable Technol. Syst., 12(2), may 2019.
  24. Reapr: Reconfigurable engine for automata processing. In 2017 27th International Conference on Field Programmable Logic and Applications (FPL), 2017.
  25. Optimization of pattern matching circuits for regular expression on fpga. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 15(12):1303–1310, 2007.
  26. Compact architecture for high-throughput regular expression matching on fpga. In Proceedings of the 2008 ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS 2008, San Jose, California, USA, November 6-7, 2008, 2008.
  27. A regular expression matching circuit based on a modular non-deterministic finite automaton with multi-character transition. Ieice Technical Report, 2010.
  28. High-speed regular expression matching engine using multi-character nfa. In International Conference on Field Programmable Logic & Applications, 2008.
  29. A memory efficient fpga-based pattern matching engine for stateful nids. In Fifth International Conference on Ubiquitous & Future Networks, 2013.
  30. A regular expression matching engine with hybrid memories. Computer Standards & Interfaces, 36(5):880–888, 2014.
  31. A high-performance round-robin regular expression matching architecture based on fpga. In 2018 IEEE Symposium on Computers and Communications (ISCC), 2018.
  32. Compactdfa: Generic state machine compression for scalable pattern matching. In Infocom, IEEE, 2010.
  33. Fast regular expression matching using small tcams for network intrusion detection and prevention systems. In Usenix Conference on Security, 2010.
  34. An efficient and scalable semiconductor architecture for parallel automata processing. IEEE Transactions on Parallel & Distributed Systems, 25(12):3088–3098, 2014.
  35. Cache automaton. In the 50th Annual IEEE/ACM International Symposium, 2017.
  36. A workload for evaluating deep packet inspection architectures. In 2008 IEEE International Symposium on Workload Characterization, pages 79–89. IEEE, 2008.
  37. A hybrid finite automaton for practical deep packet inspection. In Proceedings of the 2007 ACM CoNEXT conference, pages 1–12, 2007.
  38. Toward fast regex pattern matching using simple patterns. In 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS), pages 662–670. IEEE, 2018.
  39. {{\{{DFC}}\}}: Accelerating string pattern matching for network applications. In 13th {normal-{\{{USENIX}normal-}\}} Symposium on Networked Systems Design and Implementation ({normal-{\{{NSDI}normal-}\}} 16), pages 551–565, 2016.
  40. Efficient string matching: an aid to bibliographic search. Communications of the ACM, 18(6):333–340, 1975.
  41. Marc Norton. Optimizing pattern matching for intrusion detection. Sourcefire, Inc., Columbia, MD, 2004.
  42. Fast text searching: allowing errors. Communications of the ACM, 35(10):83–91, 1992.
  43. Exact pattern matching with feed-forward bloom filters. Journal of Experimental Algorithmics (JEA), 17:3–1, 2012.
  44. Multiple pattern matching for network security applications: Acceleration through vectorization. Journal of Parallel and Distributed Computing, 137:34–52, 2020.
  45. T. M. Graf and D. Lemire. Xor filters: Faster and smaller than bloom and cuckoo filters. Journal of Experimental Algorithmics, 25(1):1–16, 2020.
  46. Perfect hashing based parallel algorithms for multiple string matching on graphic processing units. IEEE Transactions on Parallel & Distributed Systems, PP(9):1–1, 2017.
  47. N. Tuck. Deterministic memory-efficient string matching algorithms for intrusion detection. In Proceedings of the IEEE Infocom Conference, 2004, 2004.
  48. A workload for evaluating deep packet inspection architectures. In IEEE International Symposium on Workload Characterization, 2010.
  49. Anmlzoo: a benchmark suite for exploring bottlenecks in automata processing engines and architectures. In IEEE International Symposium on Workload Characterization, pages 1–12, 2016.
  50. Accelerating dfa construction based on hierarchical merging. In 2019 IEEE 5th International Conference on Computer and Communications (ICCC), pages 1360–1365. IEEE, 2019.
  51. Idan Burstein. Nvidia data center processing unit (dpu) architecture. 2021 IEEE Hot Chips 33 Symposium (HCS), pages 1–20, 2021.
  52. Introduction to Automata Theory, Languages, and Computation, 3rd Edition. Addison-Wesley, 1979.
  53. Ken Thompson. Programming techniques: Regular expression search algorithm. Communications of the ACM, 11(6):419–422, 1968.
  54. John Hopcroft. An n log n algorithm for minimizing states in a finite automaton. Theory of machines and computations, 1971.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now