Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Similar presentations


Presentation on theme: "Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004."— Presentation transcript:

1 Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004

2 Motivation Malicious probes and worms spread Solutions: End-host based Anti-virus software, security patches Ineffective and costly Network based Network Intrusion Detection Systems (NIDS) Payload processing for thousands of complicated content patterns at line speed Fast and scalable multi-pattern matching schemes are highly needed

3 Current Pattern Matching Schemes Software based solutions Low speed FPGA base solutions Do not scale well in terms of space or overall latency for large number of patterns Bloom filters Able to handle thousands of patterns Build a bloom filter for each possible pattern length Hard to handle hundreds of possible pattern lengths

4 Problem Definition Pattern matching problem Given: a set of k patterns {P 1, P 2, …, P k }, k >= 1, and a packet of length n; Goal: find all the matching patterns in the packet. Simple patterns: Deterministic form: specific value of the 256 values Non-deterministic form: Case insensitive alphabet wildcard byte (*) Composite patterns: Negation(!) Correlated patterns

5 TCAM Three logic states: ‘0’, ‘1’, ‘?’ Given an input string, TCAM reports the lowest index match if there are multiple matches 4 ns lookup time Single-chip density ~ 2MB Width of each entry is configurable

6 Simple Pattern Matching Using TCAM Short patterns: length <= TCAM width w Pad with ‘?’ if less than w Organize patterns according to lengths in descending order Input packet shift one byte at a time Throughput: 2Gbps

7 Simple Pattern Matching Using TCAM Long patterns: length > TCAM width w Divide long pattern to multiple short patterns Prefix pattern: first w bytes Suffix patterns: remaining every w bytes. If the last suffix pattern is less than w bytes, pad it in the front with preceding bytes. Example: DEFGABCDL  DEFG -------------------- prefix pattern ABCD BCDL ------ Suffix patterns

8 Patterns in TCAM Pattern IndexPattern ContentsPrefix patternsSuffix patterns 1ABCDABCDABCD 2DEFGABCDLDEFGABCD, BCDL 3DEFGDEFDEFGGDEF 4DEF A B C D D E F G B C D L G D E F D E F ? TCAM Index 1 2 3 4 5

9 Data Structures in SRAM Pattern Index in TCAM Simple Pattern Index Prefix IndexSuffix Index 111 242 3 2 4 3 54 Combined Pattern Table A B C D D E F G B C D L G D E F D E F ? TCAM Index 1 2 3 4 5 Pattern Index Pattern Contents Prefix patternsSuffix patterns 1ABCDABCDABCD (1) 2DEFGABCDLDEFG (2),ABCD (1), BCDL (2) 3DEFGDEFDEFG (2)GDEF (3) 4DEF DEFGABCD (3)

10 Data Structures in SRAM Pattern IndexPattern ContentsPrefix patternsSuffix patterns 1ABCDABCDABCD (1) 2DEFGABCDLDEFG (2), DEFGABCD (3)ABCD (1), BCDL (2) 3DEFGDEFDEFG (2)GDEF (3) 4DEF Matching Table Prefix IndexSuffix IndexDistanceMatched Long Pattern Index 1141 2143* 2333 3141 3212 Partial Hit List (PHL) Generated during matching process

11 Algorithm for Long Pattern Matching Prefix Index Suffix Index Dist- ance Matched Long Pattern Index 1141 2143* 2333 3141 3212 Pattern Index in TCAM Simple Pattern Index Prefix Index Suffix Index 111 242 3 2 4 3 54 Partial Hit List (PHL) PositionPrefix Index PositionPrefix Index 12 PositionPrefix Index 53 Matching TableCombined Pattern Table

12 Composite Pattern Matching Correlated Patterns Partial hit record for sub-patterns kept in PHL because distance between two sub-patterns can be larger than w Example: content: “user”; content: “root”; within 20 prefix: user; suffix: root; distance: 4-20 ---- 17 entries in matching table Pattern with negations Usually part of a correlated pattern Pattern with wildcards Distance between upper case character and its corresponding lower case character is 32.

13 Analysis What is the impact of TCAM width on the scheme? TCAM SizeMatching Table Size TCAM Hit Rate PHL Size * k patterns, m i bytes each, TCAM width w, and random input stream

14 Analysis What is the impact of memory lookups on system scan rate? Two kinds of memory lookups can be pipelined With small TCAM hit rate and PHL size, overall scan time is dominated by TCAM lookup time

15 Malicious Attacks? Correlated patterns can cause problem Distance between sub-patterns can be larger than w -- PHL size   Backlogged memory lookups  Scan rate  Sub-patterns can be short -- Hit rate   PHL size   Scan rate  The probability of matching two patterns of 1 byte apart is very small, but packing sub-patterns consecutively to form a long packet can create a large PHL Limit max distance between sub-patterns

16 Simulation Results Rule sets: ClamAV (v0.15) virus signature database 1768 simple patterns Average pattern length = 55 bytes Pattern length: 6 ~ 2189 bytes SNORT (v2.1.2) 1039 simple patterns, 527 correlated patterns Mostly 10 ~ 100 bytes, some 1 ~ 4 bytes long Packet traces: Real – MIT trace (1M), Berkeley trace (6M) Synthetic – Randomly insert patterns in packet payload

17 ClamAV Pattern Set w = 128 bytes TCAM = 240KB SRAM < 10MB

18 ClamAV Pattern Set PHL size for ClamAV pattern set with real traces Avg PHL: Mean of average PHL size over all packets AvgMax PHL: Mean of maximum PHL size over all packets Max: Maximum PHL size in all packets

19 ClamAV Pattern Set PHL size for ClamAV pattern set with synthetic traces SRAM lookup can catch up with the TCAM lookup Scan rate = 2Gbps

20 SNORT Pattern Set PHL size for SNORT pattern set with real traces Win- dow Size MIT DumpBerkeley Dump Avg Max Avg Max 200.55232.768380.47021.576512 400.98813.5376140.65001.866118 601.31513.9960140.73131.965223 801.54914.2158160.75872.037324 1001.68674.3485180.76612.074025 1201.77254.4475180.76692.076825 1401.83084.5722190.76692.076825 1601.88004.6643190.76692.076825 1801.92444.7386190.76692.076825 2001.96624.8079200.76692.076825 w = 128, TCAM size = 295KB

21 SNORT Pattern Set Scan Ratio = Total scan time/Total TCAM lookup time Memory Ratio = SRAM access time/TCAM access time Scan rate > 1Gbps Effects of Memory ratio on scan ratio

22 Conclusion A simple multi-pattern matching algorithm using TCAM Support thousands of patterns with variable lengths Support long patterns, correlated patterns, pattern with negation and wildcards Achieve multi-gigabit rate on ClamAV and SNORT pattern sets


Download ppt "Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004."

Similar presentations


Ads by Google