TY - GEN
T1 - A memory efficient multiple pattern matching architecture for network security
AU - Song, T.
AU - Zhang, W.
AU - Wang, D.
AU - Xue, Y.
PY - 2008
Y1 - 2008
N2 - Pattern matching is one of the most important components for the content inspection based applications of network security, and it requires well designed algorithms and architectures to keep up with the increasing network speed. For most of the solutions, AC and its derivative algorithms are widely used. They are based on the DFA model but utilize large amount of memory because of so many transition rules. An algorithm, called ACC, is presented in this paper for multiple pattern matching. It uses a novel model, namely cached deterministic finite automate (CDFA). In ACC, by using CDFA, only 4.1% transition rules for ClamAV (20.8% for Snort) are needed to represent the same function using DFA built by AC. This paper also proposes a new scheme named next-state addressing (NSA) to store and access transition rules of DFA in memory. Using this method, transition rules can be efficiently stored and directly accessed. Finally the architecture for multiple pattern matching is optimized by several approaches. Experiments show our architecture can achieve matching speed faster than 10Gbps with very efficient memory utilization, i.e., 81KB memory for 1.8K Snort rules with total 29K characters, and 9.5MB memory for 50K ClamAV rules with total 4.44M characters. A single architecture is memory efficient for large pattern set, and it is possible to support more than 10M patterns with at most half amount of the memory utilization compared to the state-of-the-art architectures.
AB - Pattern matching is one of the most important components for the content inspection based applications of network security, and it requires well designed algorithms and architectures to keep up with the increasing network speed. For most of the solutions, AC and its derivative algorithms are widely used. They are based on the DFA model but utilize large amount of memory because of so many transition rules. An algorithm, called ACC, is presented in this paper for multiple pattern matching. It uses a novel model, namely cached deterministic finite automate (CDFA). In ACC, by using CDFA, only 4.1% transition rules for ClamAV (20.8% for Snort) are needed to represent the same function using DFA built by AC. This paper also proposes a new scheme named next-state addressing (NSA) to store and access transition rules of DFA in memory. Using this method, transition rules can be efficiently stored and directly accessed. Finally the architecture for multiple pattern matching is optimized by several approaches. Experiments show our architecture can achieve matching speed faster than 10Gbps with very efficient memory utilization, i.e., 81KB memory for 1.8K Snort rules with total 29K characters, and 9.5MB memory for 50K ClamAV rules with total 4.44M characters. A single architecture is memory efficient for large pattern set, and it is possible to support more than 10M patterns with at most half amount of the memory utilization compared to the state-of-the-art architectures.
KW - Intrusion detection
KW - String matching
KW - Virus scanning
KW - ds-pattern matching
UR - http://www.scopus.com/inward/record.url?scp=51349102260&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2007.42
DO - 10.1109/INFOCOM.2007.42
M3 - Conference contribution
AN - SCOPUS:51349102260
SN - 9781424420261
T3 - Proceedings - IEEE INFOCOM
SP - 673
EP - 681
BT - INFOCOM 2008
T2 - INFOCOM 2008: 27th IEEE Communications Society Conference on Computer Communications
Y2 - 13 April 2008 through 18 April 2008
ER -