Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Published byMadison Mountcastle Modified over 10 years ago

Similar presentations

Presentation on theme: "Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood."— Presentation transcript:

1 Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood

2 Sarang Dharmapurikar Motivation ●Deep packet inspection  Detection of Internet worms, computer viruses, SPAM, copyrighted material, Intrusion Detection/Prevention  Layer-7 switching  Content classification ●Needs fast string matching mechanism ●Some desirable features of the mechanism  String matching at line speed  Ability to detect strings at random locations in the payload  Ability to detect 1000s of strings  Ability to handle arbitrarily long strings

3 Sarang Dharmapurikar Aho-Corasick Algorithm ●Two Problems  At least 1 memory access per character (at the most 2) oSlows it down  Only one character at a time obottleneck s3 : tel s5 : phone s6 : elephant s4 : telephone s1 : technical s2 : technically l e p h a n q24 q25 q26 q27 q28 q29 q30 t q31 e l e p h o n e q12 q13 q14 q15 q16 q17 q18 q0 q1 t e c h n i q2 q3 q4 q5 q6 c a l q7 q8 q9 q11 y q10 l p h o n e q19 q20 q21 q22 q23

4 Sarang Dharmapurikar Why not use multiple engines? Engine 1 Engine 2 Engine 3 Engine 4 Incoming connections Each engine needs plenty of memory…. On-chip memory not practical We need a memory chip Multiple memory chips More pins, more power, more cost

5 Sarang Dharmapurikar Can we… ●Process Multiple characters at a time ●Without using multiple memory chips ? ●What if we have a small amount of on-chip memory?

6 Sarang Dharmapurikar Our Approach ●Modify Aho-Corasick to jump ahead by k characters  Jump Ahead Aho-CorasicK (JACK)-FA ●Represent JACK-FA as a hash table. Keep only one copy in the off-chip memory ●Keep k copies of the compressed & approximate JACK-FA hash table in on-chip memory  Use Bloom filters for approximate representation  Consumes very little memory Off-chip JACK-FA Data stream On-chip approximate JACK-FAs

7 Sarang Dharmapurikar JACK-FA s3 : tel s5 : phon e s6 : elep hant s4 : tele phon e s1 : tech nica l s2 : tech nica lly s3 : tel s5 : phone s6 : elephant s4 : telephone s1 : technical s2 : technically q0q0 q1q1 q5q5 tech nica s3, q 2 q6q6 tele phon q3q3 hant q4q4 S 6 q 7 elep s3s3 tel S 4, s 5 e s5s5 e s1s1 l lly S 1, s 2

8 Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l llye e S 1, s 2 w

9 Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l llye e S 1, s 2 w

10 Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l llye e S 1, s 2 w

11 Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l lly e e S 1, s 2 w

12 Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l lly e e S 1, s 2 w

13 Sarang Dharmapurikar String matching with JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l lly e e S 1, s 2 w

14 Sarang Dharmapurikar Why we need k JACK-FA technxyzicallyabc hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l lly e e S 1, s 2

15 Sarang Dharmapurikar Speed up technxyzicallyab

16 Sarang Dharmapurikar Speed up technxyzicallyab A single machine in off-chip memory k approximte and compressed machines in on-chip memory Use Bloom filters

17 Sarang Dharmapurikar Tabular Representation hant q0q0 q3q3 q4q4 q1q1 q2q2 q5q5 q6q6 S 6 q 7 tech nica tele phon elep s3s3 s1s1 S 4, s 5 s5s5 tel l llye e S 1, s 2 [state, substr]Next StateMatching strFailure Chain [q 0, tech]q1q1 -q0q0 [q 0, tele]q2q2 S3S3 q0q0 [q 0, phon]q3q3 -q0q0 [q 0, elep]q4q4 -q0q0 [q 1, nica]q5q5 -q0q0 [q 2, phon]q6q6 -q 3, q 0 [q 4, hant]q7q7 S6S6 q0q0 [q 0, tel]-S3S3 -[q 3, e]-S5S5 - [q 5, lly]-S 1, S 2 - [q 5, l]-S1S1 -[q 6, e]- S 4, S 5 -

18 Sarang Dharmapurikar Implementation with Bloom Filters [state, substr]Next StateMatching strFailure Chain [q 0, tech]q1q1 -q0q0 [q 0, tele]q2q2 S3S3 q0q0 [q 0, phon]q3q3 -q0q0 [q 0, elep]q4q4 -q0q0 [q 1, nica]q5q5 -q0q0 [q 2, phon]q3q3 -q 3, q 0 [q 4, hant]q7q7 S6S6 q0q0 [q 0, tel]- S3S3 - [q 3, e]- S5S5 - [q 5, lly]- S 1, S 2 - [q 5, l]- S1S1 - [q 6, e]- S 4, S 5 - B4B3B1B2 q

19 Sarang Dharmapurikar Implementation with Bloom Filters [state, substr]Next StateMatching strFailure Chain [q 0, tech]q1q1 -q0q0 [q 0, tele]q2q2 S3S3 q0q0 [q 0, phon]q3q3 -q0q0 [q 0, elep]q4q4 -q0q0 [q 1, nica]q5q5 -q0q0 [q 2, phon]q3q3 -q 3, q 0 [q 4, hant]q7q7 S6S6 q0q0 [q 0, tel]- S3S3 - [q 3, e]- S5S5 - [q 5, lly]- S 1, S 2 - [q 5, l]- S1S1 - [q 6, e]- S 4, S 5 - B4B3B1B2 q1q1 B4B3B1B2 q2q2 B4B3B1B2 q3q3 B4B3B1B2 q4q4

20 Sarang Dharmapurikar Throughput with Snort strings ●Off-chip memory: 250 MHz QDR-SRAM, 64-bit wide ●String concentration: 1 in 100 characters ●2250 strings ●2 to 122 character strings

21 Sarang Dharmapurikar Conclusions ●Fast string matching is an important module for Content filtering applications ●Off-chip memory accesses slow down string matching ●A large fraction of memory accesses can be avoided  Using a small on-chip memory and Bloom filters ●Our accelerated Aho-Corasick algorithm  can process 2250 strings  with less than 50KB on-chip memory  At a speed of more than 10Gbps

22 Thanks! Questions ?

23 Sarang Dharmapurikar Motivation ●The multi-pattern matching algorithm works for short strings (16 bytes)  Hash computation over long strings becomes problematic  Some virus signatures can be several hundred bytes long  Snort’s longest string is 122 bytes

24 Sarang Dharmapurikar

25 Accelerated Aho-Corasick Algorithm ●How to support arbitrarily large strings? At the cost of more memory?  Break a long string into multiple smaller pieces  Stitch them in a state machine  Match individual segment and track the state machine q0q0 q1q1 q2q2 q3q3 tech nically Symbols Tail

26 Sarang Dharmapurikar Speed up technxyzicallyab s1s1 s2s2 s3s3 s4s4

27 Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

28 Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

29 Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

30 Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

31 Sarang Dharmapurikar Multiple machines technxyzicallyab s1s1 s2s2 s3s3 s4s4

32 Sarang Dharmapurikar Aho-Corasick Algorithm ●Two Problems  At least 1 memory access per character (at the most 2) oSlows it down  Only one character at a time obottleneck s3 : tel s5 : phone s6 : elephant s4 : telephone s1 : technical s2 : technically q0 l e p h a n q24 q25 q26 q27 q28 q29 q30 t q31 q1 p e t e l c h n i e p h o n e q2 q3 q4 q5 q6 q12 q13 q14 q15 q16 q17 q18 c a l q7 q8 q9 q11 y q10 l h o n e q19 q20 q21 q22 q23

33 Sarang Dharmapurikar Bloom Filter X 1 1 1 1 1 m-bit Array H1H1 H2H2 H3H3 H4H4 HkHk Bloom Filter

34 Sarang Dharmapurikar Bloom Filter Y 1 1 1 1 1 m-bit Array 1 1 1 H1H1 H2H2 H3H3 H4H4 HkHk

35 Sarang Dharmapurikar Bloom Filter X 1 1 1 1 1 m-bit Array 1 1 1 match H1H1 H2H2 H3H3 H4H4 HkHk

36 Sarang Dharmapurikar Bloom Filter W 1 1 1 1 1 m-bit Array 1 1 1 Match (false positive) H1H1 H2H2 H3H3 H4H4 HkHk

37 Sarang Dharmapurikar Speed up technxyzicallyab

38 Sarang Dharmapurikar Speed up technxyzicallyab

39 Sarang Dharmapurikar Bloom filter Bloom Filter Is x present in the filter? {No, Yes} Can be a false positive But false positive probability is very small…like 0.001 Represents a set of strings Each string consumes very few bits…like 12 to 16 bits

Download ppt "Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood."

Similar presentations

Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection Nan Hua 1, Haoyu Song 2, T. V. Lakshman 2 1 Georgia Tech, 2 Bell Labs, Alcatel-Lucent.

Variable-Stride Multi-Pattern Matching For Scalable Deep Packet Inspection Nan Hua 1, Haoyu Song 2, T. V. Lakshman 2 1 Georgia Tech, 2 Bell Labs, Alcatel-Lucent.
August 8 th, 2011 Kevan Thompson Creating a Scalable Coherent L2 Cache.

August 8 th, 2011 Kevan Thompson Creating a Scalable Coherent L2 Cache.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
Segmented Hash: An Efficient Hash Table Implementation for High Performance Networking Subsystems Sailesh Kumar Patrick Crowley.

Segmented Hash: An Efficient Hash Table Implementation for High Performance Networking Subsystems Sailesh Kumar Patrick Crowley.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.

1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.

ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:

1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Similar presentations

Ads by Google