Abstract
Deep packet inspection (DPI) scans both packet headers and payloads to search for predefined signatures. As link rates and traffic volumes of Internet are constantly growing, DPI is facing the high performance challenge of how to achieve line-speed packet processing with limited embedded memory. The recent trie bitmap content analyzer (TriBiCa) suffers from high update overhead and many false positive memory accesses, while the shared-node fast hash table (SFHT) suffers from high update overhead and large memory requirements. This paper presents an index-split Bloom filter (ISBF) to overcome these issues. Given a set of off-chip items, an index of each item is split apart into several groups of constant bits, and each group of bits uses an array of on-chip parallel counting Bloom filters (CBFs) to represent the overall off-chip items. When an item is queried, several groups of on-chip parallel CBFs constitute an index of an off-chip item candidate for a match. Furthermore, we propose a lazy deletion algorithm and vacant insertion algorithm to reduce the update overhead of ISBF, where an on-chip deletion bitmap is used to update on-chip parallel CBFs, not adjusting other related off-chip items. The ISBF is a time/space-efficient data structure, which not only achieves O(1) average memory accesses of insertion, deletion, and query, but also reduces the memory requirements. Experimental results demonstrate that compared with the TriBiCa and SFHT, the ISBF significantly reduces the off-chip memory accesses and processing time of primitive operations, as well as both the on-chip and off-chip memory sizes.
Similar content being viewed by others
References
Paxson V, Asanovic K, Dharmapurikar S, et al. Rethinking hardware support for network analysis and intrusion prevention. In: Proceedings of USENIX Workshop on Hot Topics in Security 2006. Vancouver: USENIX Press, 2006
Estan C, Varghese G. New directions in traffic measurement and accounting. In: Proceedings of ACM SIGCOMM 2001. San Diego: ACM Press, 2001
Lakshminarayanan K, Rangarajan A, Venkatachary S. Algorithms for advanced packet classification with ternary CAMs. In: Proceedings of ACM SIGCOMM 2005. Philadelphia: ACM Press, 2005
Bonomi F, Mitzenmacher M, Panigrapy R, et al. Beyond Bloom filters: from approximate membership checks to approximate state machines. In: Proceedings of ACM SIGCOMM 2006. Pisa: ACM Press, 2006
Roesch M. Snort c lightweight intrusion detection for networks. In: Proceedings of LISA 1999. Seattle: USENIX Press, 1999
Paxon V. Bro: A system for detecting network intruders in real-time. Comput Networks, 1999, 31: 2435–2463
Levandoski J, Sommer E, Strait M. Application layer packet classifier for Linux. http://l7-filter.sourceforge.net, 2008
Sen S, Spatscheck O, Wang D. Accurate, scalable in-network identification of P2P traffic using application signatures. In: Proceedings of www 2004. Manhattan: ACM Press, 2004
Karagiannis T, Broido A, Faloutsos M, et al. Transport layer identification of p2p traffic. In: Proceedings of IMC 2004. Taormina: ACM Press, 2004
Clark C R, Schimmel D E. Scalable pattern matching on high-speed networks. In: Proceedings of IEEE FCCM 2004. Napa: IEEE Press, 2004
Sourdis I, Pnevmatikatos D. Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In: Proceedings of IEEE FCCM 2004. Napa: IEEE Press, 2004
Yu F, Katz R, Lakshman T V. Gigabit rate packet pattern-matching using TCAM. In: Proceedings of IEEE ICNP 2004. Berlin: IEEE Press, 2004
Piyachon P, Luo Y. Efficient memory utilization on network processors for deep packet inspection. In: Proceedings of ACM/IEEE ANCS 2006. San Jose: ACM Press, 2006
Lu H, Zheng K, Liu B, et al. A memory-efficient parallel string matching architecture for high-speed intrusion detection. IEEE J Select Areas Commun, 2006, 34: 1793–1804
Artan N S, Chao H J. TriBiCa: trie bitmap content analyzer for high-speed network intrusion detection. In: Proceedings of IEEE INFOCOM 2007. Anchorage: IEEE Press, 2007
Song H, Dharmapurikar S, Turner J, et al. Fast hash table lookup using extended Bloom filter: an aid to network processing. In: Proceedings of ACM SIGCOMM 2005. Philadelphia: ACM Press, 2005
Fan L, Cao P, Almeida J, et al. Summary cache: a scalable wide-area web cache sharing protocol. IEEE/ACM Trans Network, 2000, 8: 281–293
Tan L, Brotherton B, Sherwood T. Bit-split string-matching engines for intrusion detection and prevention. ACM Trans Architect Code Opt, 2006, 3: 3–34
Brodie B C, Cytron R K, Taylor D E. A scalable architecture for high-throughput regular-expression pattern matching. In: Proceedings of ISCA 2006. Boston: IEEE Press, 2006
Lunteren J. High performance pattern-matching for intrusion detection. In: Proceedings of IEEE INFOCOM 2006. Barcelona: IEEE Press, 2006
Yu F, Chen Z, Diao Y, et al. Fast and memory-efficient regular expression matching for deep packet inspection. In: Proceedings of ACM/IEEE ANCS 2006. San Jose: ACM Press, 2006
Tuck N, Sherwood T, Calder B, et al. Deterministic memory-efficient string matching algorithms for intrusion detection. In: Proceedings of IEEE INFOCOM 2004. Hong Kong: IEEE Press, 2004
Aho A V, Corasick M J. Efficient string matching: an aid to bibliographic search. Commun ACM, 1975, 18: 333–340
Dharmapurikar S, Lockwood J. Fast and scalable pattern matching for content filtering. In: Proceedings of ACM/IEEE ANCS 2005. Princeton: ACM Press, 2005
Hua N, Song H, Lakshman T V. Variable-stride multi-pattern matching for scalable deep packet inspection. In: Proceedings of IEEE INFOCOM 2009. Rio de Janeiro: IEEE Press, 2009
Song T, Zhang W, Wang D, et al. A memory efficient multiple pattern matching architecture for network security. In: Proceedings of IEEE INFOCOM 2008. Phoenix: IEEE Press, 2008
Kumar S, Dharmapurikar S, Yu F, et al. Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings of ACM SIGCOMM 2006. Pisa: ACM Press, 2006
Kumar S, Turner J, Williams J. Advanced algorithms for fast and scalable deep packet inspection. In: Proceedings of ACM/IEEE ANCS 2006. San Jose: ACM Press, 2006
Becchi M, Cadambi S. Memory-efficient regular expression search using state merging. In: Proceedings of IEEE INFOCOM 2007. Anchorage: IEEE Press, 2007
Smith R, Estan C, Jha S. XFA: Faster signature matching with extended automata. In: Proceedings of IEEE Symposium on Security and Privacy 2008. Oakland: IEEE Press, 2008
Smith R, Estan C, Jha S, et al. Deflating the big bang: fast and scalable deep packet inspection with extended finite automata. In: Proceedings of ACM SIGCOMM 2008. Seattle: ACM Press, 2008
Kumar S, Chandrasekaran B, Turner J, et al. Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia. In: Proceedings of ACM/IEEE ANCS 2007. Orlando: ACM Press, 2007
Broder A, Mitzenmacher M. Network applications of Bloom filters: A survey. Internet Math, 2004, 1: 485–509
Dharmapurikar S, Krishnamurthy P, Sproull T S, et al. Deep packet inspection using parallel Bloom filters. IEEE Micro, 2004, 24: 52–61
Broder A, Mitzenmacher M. Using multiple hash functions to improve IP lookups. In: Proceedings of IEEE INFOCOM 2001. Anchorage: IEEE Press, 2001
Kirsch A, Mitzenmacher M. Simple summaries for hashing with choices. IEEE/ACM Trans Network, 2008, 16: 218–231
Kumar S, Crowley P. Segmented hash: an efficient hash table implementation for high performance networking subsystems. In: Proceedings of ACM/IEEE ANCS 2005. Princeton: ACM Press, 2005
Kumar S, Turner J, Crowley P. Peacock hashing: deterministic and updatable hashing for high performance networking. In: Proceedings of IEEE INFOCOM 2008. Phoenix: IEEE Press, 2008
Kirsch A, Mitzenmacher M. The power of one move: hashing schemes for hardware. In: Proceedings of IEEE INFOCOM 2008. Phoenix: IEEE Press, 2008
Yu H, Mahapatra R. A memory-efficient hashing by multi-predicate Bloom filters for packet classification. In: Proceedings of IEEE INFOCOM 2008. Phoenix: IEEE Press, 2008
Hua N, Lin B, Xu J. Rank-indexed hashing: a compact construction of Bloom filters and variants. In: Proceedings of IEEE ICNP 2008. Orlando: IEEE Press, 2008
Varghese G. Network algorithms: an interdisciplinary approach to designing fast network devices. San Fransisco, CA: Morgan Kaufmann Publishers, 2004
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Huang, K., Zhang, D. An index-split Bloom filter for deep packet inspection. Sci. China Inf. Sci. 54, 23–37 (2011). https://doi.org/10.1007/s11432-010-4132-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-010-4132-4