Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author: Yaron Weinsberg ,Shimrit Tzur-David ,Danny Dolev and Tal Anker

Published byEthel Parker Modified over 5 years ago

Similar presentations

Presentation on theme: "Author: Yaron Weinsberg ,Shimrit Tzur-David ,Danny Dolev and Tal Anker"— Presentation transcript:

1 High Performance String Matching Algorithm for a Network Intrusion Prevention Systems (NIPS)
Author: Yaron Weinsberg ,Shimrit Tzur-David ,Danny Dolev and Tal Anker Publisher: High Performance Switching and Routing , 2006 Presenter: Tsung-Lin Hsieh Date: 2011/09/28

2 Outline Introduction RTCAM algorithm Experimental Results

3 Introduction The pattern-matching algorithm must be able to operate at wire speed. With networking speeds doubling every year, it is becoming increasingly difficult for software-based solutions to keep up with the line rates. This paper presents a novel pattern matching algorithm, called RTCAM (Rotating TCAM), which suggests the usage of an off-the-shelf TCAM and some additional logic that can be implemented in HW.

4 Example of snort’s rules
within- the maximum number of bytes allowed between two successive pattern matches. offset - indicates from where in the packet the pattern should be searched. distance - the minimum number of bytes allowed between two successive matches. depth - how far into the packet the algorithm should search for the specified pattern.

5 RTCAM Algorithm Populating the TCAM : two phases
Phase I: Split Patterns into w size chunks. Phase II: Create shifted sub-patterns for each prefix by shifting prefix to right and adding don’t care bits. * * : Thus the name Rotating TCAM

6 RTCAM Algorithm Populating the TCAM w = 4

7 RTCAM Algorithm Procedure:
Construct key of size w bytes at a position pos in packet payload with initial pos = 0. Perform TCAM Lookup. If associated shift value is not equal to zero then repeat first step after shift specified. If zero, then match occurs. Use associated data structures to access possible pattern. Build sub-patterns iteratively and use TCAM for lookup. A complete match only occurs when all sub-patterns match with shift of zero. Repeat first step with a shift of one.

8 RTCAM Algorithm Patterns List :
TCAM_Ptrs used when pattern’s length is greater than w

9 RTCAM Algorithm TCAM Rules Table (TRT) : correlate a TCAM row
and the patterns list.

10 RTCAM Algorithm Matched Pattern List : Rules List :

11 RTCAM Algorithm Example : Input Packet =“WWABCDEFTXYZABCDARP“
Matched Against

12 RTCAM Algorithm “WWABCDEFTXYZABCDAR”

13 Experimental Results Fully implemented a software version of an RTCAM-NIPS device written in Java and have tested our simulation with two complex pattern sets. ClamAV [17] – Ver 0.82 ,26987 simple patterns Snort [3] The input for our NIPS was comprised of a real packet trace from the MIT DARPA project [18]

14 Experimental Results ClamAV rule set : Snort rule set :

15 Experimental Results Scanning Time Results :

16 Experimental Results Scanning Time Results :

17 Experimental Results For a TCAM width of 24 :
Since the RTCAM algorithm accesses the SRAM every TCAM lookup ,the scan ratio is 2[12] Average shift value is 7.4 SRAM access speed is 5 times of TCAM access speed So ,throughput = (2*7.4) / (1+0.2) = 12.35Gbps (60%)

Download ppt "Author: Yaron Weinsberg ,Shimrit Tzur-David ,Danny Dolev and Tal Anker"

Similar presentations

Exploiting Crosstalk to Speed up On-chip Buses Chunjie Duan Ericsson Wireless, Boulder Sunil P Khatri University of Colorado, Boulder.

Exploiting Crosstalk to Speed up On-chip Buses Chunjie Duan Ericsson Wireless, Boulder Sunil P Khatri University of Colorado, Boulder.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.

Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.
A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Author: Anat Bremler-Barr, Yaron Koral, Shimrit Tzur David, David Hay Publisher:
Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.

Decompression-Free Inspection: DPI for Shared Dictionary Compression over HTTP Anat Bremler-Barr Interdisciplinary Center Herzliya Shimrit Tzur David Interdisciplinary.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
1 Author: Ioannis Sourdis, Sri Harsha Katamaneni Publisher: IEEE ASAP,2011 Presenter: Jia-Wei Yo Date: 2011/11/16 Longest prefix Match and Updates in Range.

1 Author: Ioannis Sourdis, Sri Harsha Katamaneni Publisher: IEEE ASAP,2011 Presenter: Jia-Wei Yo Date: 2011/11/16 Longest prefix Match and Updates in Range.
1 A Heuristic and Hybrid Hash- based Approach to Fast Lookup Author: Gianni Antichi, Andrea Di Pietro, Domenico Ficara, Stefano Giordano, Gregorio Procissi,

1 A Heuristic and Hybrid Hash- based Approach to Fast Lookup Author: Gianni Antichi, Andrea Di Pietro, Domenico Ficara, Stefano Giordano, Gregorio Procissi,
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,

1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:

Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Parallel-Search Trie-based Scheme for Fast IP Lookup

Parallel-Search Trie-based Scheme for Fast IP Lookup
1 Accelerating Multi-Patterns Matching on Compressed HTTP Traffic Authors: Anat Bremler-Barr, Yaron Koral Presenter: Chia-Ming,Chang Date: 2009.9.1 Publisher/Conf.

1 Accelerating Multi-Patterns Matching on Compressed HTTP Traffic Authors: Anat Bremler-Barr, Yaron Koral Presenter: Chia-Ming,Chang Date: Publisher/Conf.
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu
1 OC-3072 Packet Classification Using BDDs and Pipelined SRAMs Author: Amit Prakash, Adnan Aziz Publisher: Hot Interconnects 9, 2001. Presenter: Hsin-Mao.

1 OC-3072 Packet Classification Using BDDs and Pipelined SRAMs Author: Amit Prakash, Adnan Aziz Publisher: Hot Interconnects 9, Presenter: Hsin-Mao.

Similar presentations

Ads by Google