Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Published bySheryl Chandler Modified over 9 years ago

Similar presentations

Presentation on theme: "Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004."— Presentation transcript:

1 Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004

2 Motivation Malicious probes and worms spread Solutions: End-host based Anti-virus software, security patches Ineffective and costly Network based Network Intrusion Detection Systems (NIDS) Payload processing for thousands of complicated content patterns at line speed Fast and scalable multi-pattern matching schemes are highly needed

3 Current Pattern Matching Schemes Software based solutions Low speed FPGA base solutions Do not scale well in terms of space or overall latency for large number of patterns Bloom filters Able to handle thousands of patterns Build a bloom filter for each possible pattern length Hard to handle hundreds of possible pattern lengths

4 Problem Definition Pattern matching problem Given: a set of k patterns {P 1, P 2, …, P k }, k >= 1, and a packet of length n; Goal: find all the matching patterns in the packet. Simple patterns: Deterministic form: specific value of the 256 values Non-deterministic form: Case insensitive alphabet wildcard byte (*) Composite patterns: Negation(!) Correlated patterns

5 TCAM Three logic states: ‘0’, ‘1’, ‘?’ Given an input string, TCAM reports the lowest index match if there are multiple matches 4 ns lookup time Single-chip density ~ 2MB Width of each entry is configurable

6 Simple Pattern Matching Using TCAM Short patterns: length <= TCAM width w Pad with ‘?’ if less than w Organize patterns according to lengths in descending order Input packet shift one byte at a time Throughput: 2Gbps

7 Simple Pattern Matching Using TCAM Long patterns: length > TCAM width w Divide long pattern to multiple short patterns Prefix pattern: first w bytes Suffix patterns: remaining every w bytes. If the last suffix pattern is less than w bytes, pad it in the front with preceding bytes. Example: DEFGABCDL  DEFG -------------------- prefix pattern ABCD BCDL ------ Suffix patterns

8 Patterns in TCAM Pattern IndexPattern ContentsPrefix patternsSuffix patterns 1ABCDABCDABCD 2DEFGABCDLDEFGABCD, BCDL 3DEFGDEFDEFGGDEF 4DEF A B C D D E F G B C D L G D E F D E F ? TCAM Index 1 2 3 4 5

9 Data Structures in SRAM Pattern Index in TCAM Simple Pattern Index Prefix IndexSuffix Index 111 242 3 2 4 3 54 Combined Pattern Table A B C D D E F G B C D L G D E F D E F ? TCAM Index 1 2 3 4 5 Pattern Index Pattern Contents Prefix patternsSuffix patterns 1ABCDABCDABCD (1) 2DEFGABCDLDEFG (2),ABCD (1), BCDL (2) 3DEFGDEFDEFG (2)GDEF (3) 4DEF DEFGABCD (3)

10 Data Structures in SRAM Pattern IndexPattern ContentsPrefix patternsSuffix patterns 1ABCDABCDABCD (1) 2DEFGABCDLDEFG (2), DEFGABCD (3)ABCD (1), BCDL (2) 3DEFGDEFDEFG (2)GDEF (3) 4DEF Matching Table Prefix IndexSuffix IndexDistanceMatched Long Pattern Index 1141 2143* 2333 3141 3212 Partial Hit List (PHL) Generated during matching process

11 Algorithm for Long Pattern Matching Prefix Index Suffix Index Dist- ance Matched Long Pattern Index 1141 2143* 2333 3141 3212 Pattern Index in TCAM Simple Pattern Index Prefix Index Suffix Index 111 242 3 2 4 3 54 Partial Hit List (PHL) PositionPrefix Index PositionPrefix Index 12 PositionPrefix Index 53 Matching TableCombined Pattern Table

12 Composite Pattern Matching Correlated Patterns Partial hit record for sub-patterns kept in PHL because distance between two sub-patterns can be larger than w Example: content: “user”; content: “root”; within 20 prefix: user; suffix: root; distance: 4-20 ---- 17 entries in matching table Pattern with negations Usually part of a correlated pattern Pattern with wildcards Distance between upper case character and its corresponding lower case character is 32.

13 Analysis What is the impact of TCAM width on the scheme? TCAM SizeMatching Table Size TCAM Hit Rate PHL Size * k patterns, m i bytes each, TCAM width w, and random input stream

14 Analysis What is the impact of memory lookups on system scan rate? Two kinds of memory lookups can be pipelined With small TCAM hit rate and PHL size, overall scan time is dominated by TCAM lookup time

15 Malicious Attacks? Correlated patterns can cause problem Distance between sub-patterns can be larger than w -- PHL size   Backlogged memory lookups  Scan rate  Sub-patterns can be short -- Hit rate   PHL size   Scan rate  The probability of matching two patterns of 1 byte apart is very small, but packing sub-patterns consecutively to form a long packet can create a large PHL Limit max distance between sub-patterns

16 Simulation Results Rule sets: ClamAV (v0.15) virus signature database 1768 simple patterns Average pattern length = 55 bytes Pattern length: 6 ~ 2189 bytes SNORT (v2.1.2) 1039 simple patterns, 527 correlated patterns Mostly 10 ~ 100 bytes, some 1 ~ 4 bytes long Packet traces: Real – MIT trace (1M), Berkeley trace (6M) Synthetic – Randomly insert patterns in packet payload

17 ClamAV Pattern Set w = 128 bytes TCAM = 240KB SRAM < 10MB

18 ClamAV Pattern Set PHL size for ClamAV pattern set with real traces Avg PHL: Mean of average PHL size over all packets AvgMax PHL: Mean of maximum PHL size over all packets Max: Maximum PHL size in all packets

19 ClamAV Pattern Set PHL size for ClamAV pattern set with synthetic traces SRAM lookup can catch up with the TCAM lookup Scan rate = 2Gbps

20 SNORT Pattern Set PHL size for SNORT pattern set with real traces Win- dow Size MIT DumpBerkeley Dump Avg Max Avg Max 200.55232.768380.47021.576512 400.98813.5376140.65001.866118 601.31513.9960140.73131.965223 801.54914.2158160.75872.037324 1001.68674.3485180.76612.074025 1201.77254.4475180.76692.076825 1401.83084.5722190.76692.076825 1601.88004.6643190.76692.076825 1801.92444.7386190.76692.076825 2001.96624.8079200.76692.076825 w = 128, TCAM size = 295KB

21 SNORT Pattern Set Scan Ratio = Total scan time/Total TCAM lookup time Memory Ratio = SRAM access time/TCAM access time Scan rate > 1Gbps Effects of Memory ratio on scan ratio

22 Conclusion A simple multi-pattern matching algorithm using TCAM Support thousands of patterns with variable lengths Support long patterns, correlated patterns, pattern with negation and wildcards Achieve multi-gigabit rate on ClamAV and SNORT pattern sets

Download ppt "Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004."

Similar presentations

Gigabit Rate Packet Pattern-Matching Using TCAM

Gigabit Rate Packet Pattern-Matching Using TCAM
1 SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Marti Austin Motoyama 1 Randy H. Katz 1 1 EECS.

1 SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Marti Austin Motoyama 1 Randy H. Katz 1 1 EECS.
Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.

1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Space-for-Time Tradeoffs

Space-for-Time Tradeoffs
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.

1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.
Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.

Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.
Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.

Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:

Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu

Similar presentations

Ads by Google