research-article

Co-match: fast and efficient packet inspection for multiple flows

Authors:

Chengde HanAuthors Info & Claims

ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

Pages 199 - 208

https://doi.org/10.1145/1882486.1882538

Published: 19 October 2009 Publication History

Abstract

Packet inspection is widely employed in application-layer protocol analyzing systems to enable accurate protocol identification. Many existing systems, however, fail to meet the requirement of keeping up with wire speed in networking. There are two limitations: (1) software-based matching schemes are usually in a sequential manner which is slow and inefficient; (2) fast hardware-based matching schemes are inapplicable to network packet processing for lacking of intrinsic support for multiple flows.

This paper proposes a novel approach for application-layer protocol identification called Co-Match, which combines software and hardware together to achieve fast and efficient signature matching for multiple flows. First, a grouping scheme is adopted to organize signatures into several matching sets. With this scheme, each packet is only matched against a subset of signatures, bringing about a remarkable improvement of matching speed in software. Second, an FPGA-based coprocessor is developed in order to support fast parallel regular expression matching for multiple flows in hardware. Moreover, a hardware-based flow-level traffic load balancer is employed to parallel multi-flow processing on multiple CPU cores. Experimental results show that our approach is efficient to handle multiple flows while system throughput can achieve the wire speed of Gigabit Ethernet links with moderate CPU usage.

References

[1]

Y.-H.E. Yang, W. Jiang, and V. K. Prasanna, "Compact Architecture for High-Throughput Regular Expression Matching on FPGA", in ANCS'08, 2008, pp. 30--39.

Digital Library

[2]

A. W. Moore and K. Papagiannaki, "Toward the Accurate Identification of Network Applications", in Passive and Active Network Measurement, 2005, pp. 41--54.

Digital Library

[3]

H. Dreger, A. Feldmann, M. Mai, V. Paxson and R. Sommer, "Dynamic application-layer protocol analysis for network intrusion detection", in Proceedings of the 15th conference on USENIX Security Symposium. vol. 15, 2006.

Digital Library

[4]

J. Levandoski, E. Sommer and M. Strait, "Application Layer Packet Classifier for Linux", http://17-filter.sourceforge.net/.

[5]

Cisco Systems Inc., Network Based Application Recognition, http://www.cisco.com/en/US/products/ps6616/products_ios_ protocol_group_home.html

[6]

F. Yu, Z. Chen, Y. Diao, T. V. Lakshman and R. H. Katz, "Fast and memory-efficient regular expression matching for deep packet inspection", in ANCS'06, 2006, pp. 93--102.

Digital Library

[7]

R. Sidhu and V. K. Prasanna, "Fast Regular Expression Matching Using FPGAs", in FCCM'01, 2001, pp. 227--238.

Digital Library

[8]

C.-H. Lin, C.-T. Huang, C.-P. Jiang, and S.-C. Chang, "Optimization of regular expression pattern matching circuits on FPGA", in Proceedings of the conference on Design, automation and test in Europe, 2006, pp. 12--17.

Digital Library

[9]

M. Becchi and P. Crowley, "Efficient Regular Expression Evaluation: Theory to Practice", in ANCS'08, 2008, pp. 50--59.

Digital Library

[10]

N. Yamagaki, R. Sidhu, and S. Kamiya, "High-speed regular expression matching engine using multi-character NFA," in FPL'08, 2008, pp. 131--136.

[11]

Official IPP2P homepage, http://www.ipp2p.org/.

[12]

D. Guo, G. Liao, L. N. Bhuyan, B. Liu, Jianxun and J. Ding, "A scalable multithreaded L7-filter design for multi-core servers", in ANCS'08, 2008, pp. 60--68.

Digital Library

[13]

R. Wojtczuk, Libnids, http://libnids.sourceforge.net/.

[14]

S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese, "Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia", in ANCS'07, 2007, pp. 155--164.

Digital Library

[15]

A. Majumder, R. Rastogi, and S. Vanama, "Scalable regular expression matching on data streams," in ACM SIGMOD 2008, 2008, pp. 161--172.

Digital Library

[16]

Xilinx, http://www.xilinx.com/.

[17]

MIT DARPA Intrusion Detection Evaluation Data Set, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999data.html/.

[18]

GNU Regex Library, http://www.gnu.org/s/libc/manual/html_node/Regular-Expressions.html/.

[19]

J. Bispo, I. Sourdis, J. M. P. Cardoso and S. Vassiliadis, "Regular expression matching for reconfigurable packet inspection", in FPT'06, 2006, pp. 119--126.

[20]

C. R. Clark and D. E. Schimmel, "Scalable Pattern Matching for High Speed Networks", in FCCM'04, 2004, pp. 249--257.

Digital Library

[21]

S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner, "Algorithms to accelerate multiple regular expressions matching for deep packet inspection", in ACM SIGCOMM 2006, 2006, pp. 339--350.

Digital Library

[22]

M. Becchi and S. Cadambi, "Memory-Efficient Regular Expression Search Using State Merging," in INFOCOM 2007, 2007, pp. 1064--1072.

[23]

Receive Side Scaling (RSS), http://technet.microsoft.com/en-us/network/dd277646.aspx.

[24]

B. Haagdorens, T. Vermeiren and M. Goossens, "Improving the performance of signature-based network intrusion detection sensors by multi-threading", In WISA'04, 2004, pp. 188--203.

Digital Library

[25]

V. Paxson, R. Sommer and N. Weaver, "An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention", in IEEE Sarnoff Symposium, 2007, pp. 1--7.

Cited By

Niemiec GBatista LSchaeffer-Filho ANazar G(2020)A Survey on FPGA Support for the Feasible Execution of Virtualized Network FunctionsIEEE Communications Surveys & Tutorials10.1109/COMST.2019.294369022:1(504-525)Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.1109/COMST.2019.2943690
Hsu CWang S(2013)An Embedded NIDS with Multi-core Aware Packet CaptureProceedings of the 2013 IEEE 16th International Conference on Computational Science and Engineering10.1109/CSE.2013.119(778-785)Online publication date: 3-Dec-2013
https://dl.acm.org/doi/10.1109/CSE.2013.119
Jiang HYang JXie G(2011)Exploring and Enhancing the Performance of Parallel IDS on Multi-core ProcessorsProceedings of the 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications10.1109/TrustCom.2011.86(673-680)Online publication date: 16-Nov-2011
https://dl.acm.org/doi/10.1109/TrustCom.2011.86

Index Terms

Co-match: fast and efficient packet inspection for multiple flows
1. Security and privacy
  1. Network security

Recommendations

Design and implementation of a plesiochronous multi-core 4x4 network-on-chip FPGA platform with MPI HAL support
FPGAworld '09: Proceedings of the 6th FPGAworld Conference

The Multi-Core NoC is a 4 by 4 Mesh NoC targeted for Altera FPGAs. It implements a deflective routing policy and is used to connect sixteen NIOS II processors. Each NIOS II is connected to the NoC via an address-mapped Resource Network Interface.

The ...
An efficient sparse matrix format for accelerating regular expression matching on field-programmable gate arrays

Regular expression matching is widely used in many programming languages and applications. A regular expression is transformed into a deterministic finite automata DFA for processing. However, the DFA requires large memory resources because of the state ...
A DFA with Extended Character-Set for Fast Deep Packet Inspection
ICPP '11: Proceedings of the 2011 International Conference on Parallel Processing

Deep packet inspection (DPI), based on regular expressions, is expressive, compact, and efficient in specifying attack signatures. We focus on their implementations based on general-purpose processors that are cost-effective and flexible to update. In ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

October 2009

227 pages

ISBN:9781605586304

DOI:10.1145/1882486

General Chairs:
Peter Onufryk
IDT
,
K. K. Ramakrishnan
AT&T Labs - Research
,
Program Chairs:
Patrick Crowley
Washington University in St. Louis
,
John Wroclawski
USC

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication
SIGARCH: ACM Special Interest Group on Computer Architecture
IEEE-CS\TCCA: TC on Computer Arhitecture

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 October 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ANCS '09

Sponsor:

SIGCOMM
SIGARCH
IEEE-CS\TCCA

ANCS '09: Symposium on Architecture for Networking and Communications Systems

October 19 - 20, 2009

New Jersey, Princeton

Acceptance Rates

Overall Acceptance Rate 88 of 314 submissions, 28%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
210
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Niemiec GBatista LSchaeffer-Filho ANazar G(2020)A Survey on FPGA Support for the Feasible Execution of Virtualized Network FunctionsIEEE Communications Surveys & Tutorials10.1109/COMST.2019.294369022:1(504-525)Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.1109/COMST.2019.2943690
Hsu CWang S(2013)An Embedded NIDS with Multi-core Aware Packet CaptureProceedings of the 2013 IEEE 16th International Conference on Computational Science and Engineering10.1109/CSE.2013.119(778-785)Online publication date: 3-Dec-2013
https://dl.acm.org/doi/10.1109/CSE.2013.119
Jiang HYang JXie G(2011)Exploring and Enhancing the Performance of Parallel IDS on Multi-core ProcessorsProceedings of the 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications10.1109/TrustCom.2011.86(673-680)Online publication date: 16-Nov-2011
https://dl.acm.org/doi/10.1109/TrustCom.2011.86

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten