Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pipelined Architecture for Multi-String Matching

Published byKatja Frei Modified over 5 years ago

Similar presentations

Presentation on theme: "Pipelined Architecture for Multi-String Matching"— Presentation transcript:

1 Pipelined Architecture for Multi-String Matching
2019/5/10 Pipelined Architecture for Multi-String Matching Author: Derek Pao, Wei Lin, and Bin Liu Presenter: Yi-Hsien Wu Conference: IEEE Computer Architecture Letters Date: 2017/6/7 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2 Outline Introduction Background Pipelined Architecture
Performance Evaluation Conclusion National Cheng Kung University CSIE Computer & Internet Architecture Lab

3 2019/5/10 Introduction Many of the proposed hardware solutions are based on the well-known Aho-Corasick (AC) algorithm , where the system is modeled as a deterministic finite automaton (DFA). The AC algorithm solves the string matching problem in time linearly proportional to the length of the input stream. However, the memory requirement is prohibitive in a straightforward hardware implementation. In this letter, we present a pipelined processing approach to the implementation of AC algorithm, called P-AC. The control logic of P-AC is simple and elegant. The memory cost is less than 30% of the best known AC-based methods. When the controller is responsible for all the tasks it becomes a bottleneck and the solution does not scale well. (reason 2) National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

4 2019/5/10 Background An entry in the transition rule table is a 3-tuple E=(u=current state, i=input symbol, v=next state). A match result is generated when the system reaches an output state. Black line : forward edge ; Dashed line : cross edge ; When the controller is responsible for all the tasks it becomes a bottleneck and the solution does not scale well. (reason 2) National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

5 Pipelined Architecture
2019/5/10 Pipelined Architecture Suppose the input stream is “appastxyz” . In the proposed pipelined architecture, a new thread is initiated to trace along the automaton starting from the current input character in each cycle. By doing so, the system only needs to store the forward edges in the transition rule table. The OpenSec framework : Security functions are provided by the processing units; traffic is routed to each processing unit based on requiremens given through security policies; the reaction to security alerts is automated. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

6 Pipelined Architecture
2019/5/10 Pipelined Architecture Processing of Long Signatures : In general, signatures can be longer than the hardware pipeline. Assume the pipeline has k+1 stages numbered from 0 to k, where the last stage is only used to buffer the search result of stage k-1. Strings longer than k characters are divided into segments of length k, except for the last segment whose length can be less than k. Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps. Docker 專案的目標是實作輕量級的作業系統虛擬化解決方案 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

7 Pipelined Architecture
2019/5/10 Pipelined Architecture Consider a signature set with 4 strings = {and, test, instructions, instrument}. Assume k is equal to 4, there are 7 segmented strings {nt, and, ions, inst, ruct, rume, test}. Each segment is assigned a unique segment ID and a Boolean flag L( is equal to 1 if the segment is part of a long string) . Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps. Docker 專案的目標是實作輕量級的作業系統虛擬化解決方案 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

8 Pipelined Architecture
2019/5/10 Pipelined Architecture Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps. Docker 專案的目標是實作輕量級的作業系統虛擬化解決方案 Let’s consider an example with the input stream equals to “test instrument …” . National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

9 Pipelined Architecture
2019/5/10 Pipelined Architecture Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps. Docker 專案的目標是實作輕量級的作業系統虛擬化解決方案 In cycle 5 the last stage of the pipeline detects the string “test”. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

10 Pipelined Architecture
2019/5/10 Pipelined Architecture <SD> Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps. Docker 專案的目標是實作輕量級的作業系統虛擬化解決方案 In cycle 10, the pipeline unit detects the segment “inst” and passes its segment ID <SD> to the AU. The state value <SD> will then be shifted into B1 at the start of the next cycle. <SD> National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

11 Pipelined Architecture
2019/5/10 Pipelined Architecture <SDSF> <SF> <SD> Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps. Docker 專案的目標是實作輕量級的作業系統虛擬化解決方案 In cycle 14, the pipeline detects the segment “rume”and sends the segment ID <SF> to the AU. At this moment, the state value <SD> would have been shifted down to buffer slot B4. The DFA unit looks up table TD using the state value <SD> and the segment ID <SF> to find the next state <SDSF>. <SF> National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

12 Pipelined Architecture
2019/5/10 Pipelined Architecture <SDSF> Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps. Docker 專案的目標是實作輕量級的作業系統虛擬化解決方案 In cycle 16, the segment “nt” is detected at stage 2 of the pipeline unit. At this moment, the state value <SDSF> is stored in buffer slot B2. On receiving the segment ID <SA> for “nt”, PM2 sends a lookup request to the CMT and finds the matched string “instrument” . <SA> National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

13 Pipelined Architecture
2019/5/10 Pipelined Architecture In principle the pipeline unit may find a matched segment in each stage at each cycle. As a result, concurrent access to the CMT may be required. When there are multiple access requests, the requests are queued and served in FIFO order. Docker Community Edition (CE) is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps. Docker 專案的目標是實作輕量級的作業系統虛擬化解決方案 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

14 Performance Evaluation
2019/5/10 Performance Evaluation We extract 4434 distinct signatures from the Snort rule set . The signatures are converted into lower case letters. The average signature length is about 19 characters, and the total character count is About 98% of the signatures have no more than 64 characters. Our evaluation indicates that better memory efficiency is obtained when the segment length is in the range of 4 to 6. For k=4, the number of entries in the lookup tables for the pipeline unit, the DFA unit, and CMT are 22031, 19289, and 3076, respectively. The width of the state ID for the pipeline unit and the DFA unit are 15 bits and 14 bits, respectively. The amount of memory space occupied by the entries of the lookup tables is 220KB. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

15 Performance Evaluation
2019/5/10 Performance Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

16 2019/5/10 Conclusion A pipelined approach for hardware implementation of the Aho-Corasick algorithm called P-AC is presented. The system maintains multiple threads that traverse the automaton concurrently. Only forward edges of the state graph need to be stored in the lookup tables. In contrast to previously published heuristic-based methods, edge reduction in P-AC is guaranteed algorithmically. This is an advantage that ensures scalability of the method in handling fast expanding signature sets of network intrusion detection systems. For a signature set with 4434 strings extracted from Snort, the memory cost of P-AC is as low as 21.5 bits/char, which is less than 30% of the best known AC-based methods. Simplicity and elegance of the pipeline control allows the system to operate at high clock rate. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Download ppt "Pipelined Architecture for Multi-String Matching"

Similar presentations

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.
Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
Scalable IPv6 Lookup/Update Design for High-Throughput Routers Authors: Chung-Ho Chen, Chao-Hsien Hsu, Chen -Chieh Wang Presenter: Yi-Sheng, Lin ( 林意勝.

Scalable IPv6 Lookup/Update Design for High-Throughput Routers Authors: Chung-Ho Chen, Chao-Hsien Hsu, Chen -Chieh Wang Presenter: Yi-Sheng, Lin ( 林意勝.
1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.

1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.
An Efficient and Scalable Pattern Matching Scheme for Network Security Applications Department of Computer Science and Information Engineering National.

An Efficient and Scalable Pattern Matching Scheme for Network Security Applications Department of Computer Science and Information Engineering National.
Pipelined Architecture For Multi-String Match Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

Pipelined Architecture For Multi-String Match Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:

1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,

Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,
1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.

1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.

Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.
Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.
Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.

Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
A Regular Expression Matching Algorithm Using Transition Merging Department of Computer Science and Information Engineering National Cheng Kung University,

A Regular Expression Matching Algorithm Using Transition Merging Department of Computer Science and Information Engineering National Cheng Kung University,
A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.

Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.
Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:

Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:

Similar presentations

Ads by Google