Compare with the other related works

Fig.13 and Fig.14 show the pattern size and the throughput of several accelerators of string matching. The architecture of the researches may have high performance like Tan’s Bit-split AC [18] or accommodate large pattern set like Dharmapurikar’s [29], but there are few architectures can both accommodate large pattern set and maintain a high throughput like BFAST. One thing need to be mentioned in this figure is the throughput of the BFAST is depending on the verification rate. We assume the verification rate is low enough (<0.4%) herein so that the scanning module will not be blocked by the verification module, and thus the throughput is full-speeding 9.2Gbps.

0

Figure 13. The pattern size comparison of different hardware architecture

0

Figure 14. The throughput comparison of different hardware architecture

Besides the large pattern capacity and the high throughput, another advantage of the BFAST is the simple circuit design. Table3 compares with the INOSIDICE and the clarks’ design which have more little pattern capacity but higher throughput, Table the circuit size of BFAST is much smaller with storing the patterns in memory instead of flip-flops.

Table 3. Comparisons of circuit sizes of Multi-character decoder NFA, Pre-decoded CAM comparator and BFAST

Type Approach Circuit Size

(LC) Decoder NFA Clark’s Multi-character decoder NFA [29] 29,281 Parallel Comparator Sourdis et al.'s Pre-decoded CAM Comp. [33] 64,268 Bloom Filter Implicit shift table using Bloom filters 5,438

Chapter6. Conclusion and future works

This work implement an implicit shift table using Bloom filters to realize a sub-linear time algorithm with hardware. It processes multiple bytes a time based on the theory of the sub-linear time algorithm to increase the throughput up to 9.2Gbps and utilize the efficient memory-usage Bloom filter to accommodate more than 10,000 patterns. The simplicity of the circuit design of this architecture makes this design can be integrated into the Xilinx XC2VP30 SOC platform to become a customized anti-virus chip. After coordinating the packet flow and the other processor communication, it can become a complete security system.

After the implementation, we find that although the performance of this design is good in average case, but it will decrease when the verification rate going higher, i.e.

when the virus appearing more often. The slow verification speed will slowdown overall system performance. It can be fixed by utilizing more than one verification engine to balance the speed between verification and scanning. Analysis of the speed differencing in various virus appearing ratio and the different packet lengthes is also interesting in this topic. Although this work implements only a heuristic like Bad-Character in the BM algorithm, the Good-Suffix heuristic is designed with this architecture and illustrated in Appendix too. The improvement of this heuristic is predictable.

References

[1] S. Antonatos, K. G. Anagnostakis and E. P. Markatos, “Generating realistic workloads for network intrusion detection systems,” ACM Workshop on Software and Performance (WOSP), Redwood, CA, Jan. 2004.

[2] Ying-Dar Lin, Chih-Wei Jan, Po-Ching Lin and Yuan-Cheng Lai, “Designing an Integrated Architecture for Network Content Security Gateways,” IEEE Computer, June 2006.

[3] Y. H. Cho, S. Navab and W. H. Mangione-Smith, “Specialized hardware for deep network packet filtering,” Proc. of 12th International Conference on Field Programmable Logic and Applications (FPL), La Grand Motte, France, Sept.

2002.

[4] Z. K. Baker and V. K. Prasanna, “Time and area efficient pattern matching on FPGAs,” Proc. of International Symposium on Field-Programmable Gate Arrays (FPGA), Monterey, CA, Feb. 2004.

[5] I. Sourdis and D. Pnevmatikatos, “Pre-decoded CAMs for efficient and high-speed NIDS Pattern Matching,” IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa Valley, CA, April 2004.

[6] M. Aldwairi, T. Conte and P. Franzon, “Configurable string matching hardware for speeding up intrusion detection,” ACM SIGARCH Computer Architecture News, vol. 33, no. 1, pp. 99-107, Mar. 2005.

[7] I. Sourdis, “Efficient and high-speed FPGA-based string matching for packet inspection,” MS Thesis, Dept. Elec. Comput. Eng., Tech. Univ. Crete, Jul. 2004.

[8] A. Aho and M. Corasick, “Efficient string matching: An aid to bibliographic search,” Comm. of the ACM, vol. 18, issue 6, pp.333-343, Jun. 1975.

[9] P. C. Lin, Z. X. Li, Y. D. Lin, Y. C. Lai and F. C. Lin, “Profiling and Accelerating String Matching Algorithms in Three Network Content Security Applications,”

IEEE Communications Surveys and Tutorials, to appear.

[10] G. Navarro and M. Raffinot, Flexible pattern matching in strings, Cambridge Univ. Press, 2002.

[11] M. Norton and D. Roelker, “High performance multi-rule inspection engine,”

[Online]. Available: http://www.snort.org/docs/.

[12] A. Broder and M. Mitzenmacher, “Network applications of Bloom Filters: A survey,” Internet Mathematics, vol. 1, no. 4, pp. 485-509, 2004.

[13] S. Wu and U. Manber, “A fast algorithm for multi-pattern searching," Tech. Rep.

TR94-17, Dept. Comput. Sci., Univ. Arizona, May 1994.

[14] R. S. Boyer and J. S. Moore. “A Fast String Searching Algorithm,” Comm. of the ACM, vol. 20, issue 10, pp.762-772, Oct. 1977.

[15] ClamAV document, “Creating signatures for ClamAV,” [Online]. Available:

http://www.clamav.net/doc/0.88/signatures.pdf.

[16] M. Chrochemore and W. Rytter, Jewels of Stringology, World Scientific Publishing, 2003.

[17] Y. Sugawara, M. Inaba and K. Hiraki, “Over 10Gbps String Matching Mechanism for Multi-Stream Packet Scanning Systems,” Proc. of 14th International Conference on Field Programmable Logic and Applications (FPL), Antwerpen, Belgium, Aug. 2004.

[18] L. Tan and T. Sherwood, “A High Throughput String Matching Architecture for Intrusion Detection and Prevention,” Proc. 32nd Annual International Symposium on Computer Architecture (ISCA), Madison, WI, June 2005.

[19] N. Tuck, T. Sherwood, B. Calder and G. Varghese. “Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection,” Proc. of the IEEE INFOCOM, Hong Kong, Mar. 2004.

[20] M. Norton, “Optimizing Pattern Matching for Intrusion Detection,” [Online].

Available: http://www.snort.org/docs/.

[21] C. J. Coit, S. Staniford and J. McAlerney, “Towards faster string matching for intrusion detection or exceeding the speed of Snort,” Proceedings of the 2nd DARPA Information Survivability Conference and Exposition (DISCEX II), Anaheim, CA, June 2001.

[22] M. Fisk and G. Varghese. “Fast Content-Based Packet Handling for Intrusion Detection”. Tech. Rep. CS2001-0670, UC San Diego, May 2001.

[23] R. T. Liu, N. F. Huang, C. H. Chen and C. N. Kao, “A fast string-matching algorithm for network processor-based intrusion detection system,” ACM Trans.

Embedded Computing Systems, vol. 3, no. 3, pp. 614-633, Aug. 2004.

[24] P. C. Lin, Y. D. Lin, Y. C. Lai, T. H. Lee, “A Multiple-String Matching Algorithm with Backward Hashing for Generic Network Content Security”, __.

[25] Xilinx, “Two flows for partial reconfiguration: Module based and difference based,” [Online]. Available: http://www.xilinx.com/bvdocs/appnotes/xapp290.pdf.

[26] R. Sidhu, V. K. Prasanna, “Fast regular expression matching using FPGAs,” Proc.

of IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Rohnert Park, CA. Apr. 2001.

[27] J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos. “Implementation of a Content-Scanning Module for an Internet Firewall,” Proc. of IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa Valley, CA, April 2003.

[28] I. Sourdis and D. Pnevmatikatos. “Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System,” Proc. of 13th International

Conference on Field Programmable Logic and Applications (FPL), Lisbon, Portugal, Sep. 2003.

[29] S. Dharmapurikar, P. Krishnamurthy, T. Sproull and J. Lockwood. “Deep packet inspection using parallel bloom filters,” 11th Symposium on High Performance Interconnects, Stanford, CA, Aug. 2003.

[30] B. Bloom. “Space/Time Tradeoffs in Hash Coding with Allowable Errors,”

Comm. of the ACM, vol. 13, issue 7, pp 422-426, July 1970.

[31] R. A. Baeza-Yates and G. H. Gonnet, “A New Approach to Text Searching,”

Comm. of ACM, vol. 35, issue 10, pp.74-82, Oct. 1992.

[32] Z. Galil, “On improving the worst case running time of the Boyer-Moore string searching algorithm,” Comm. of the ACM, vol. 22, issue 9, pp. 505-508, 1979.

[33] M. Attig, S. Dharmapurikar, and J. Lockwood. “Implementation results of bloom filters for string matching.” In IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Napa, CA, Apr. 2004.

[34] M.V. Remekrshna, E. Fu and E. Bahcekapili, "A performance study of hashing function for hardware applications," In Proc. of Int. Conf. on Computing and Information, pages 1621-1636,1994

[35] J. Lockwood. “An Open Platform for Development of Network Processing Modules in Reconfigurable Hardware.” IEC DesignCon 2001, Santa Clara, CA, Jan. 2001.

[36] G. Tripp. “A Finite-State-Machine Based String Matching System For Intrusion Detection on High-Speed Network.” Proc. of EICAR 2005, p. 26-40, May 2005.

[37] L. Bu, J. A. Chandy. “A Keyword Match Processor Architecture Using Content Addressable Memory.” Proc. of the 14th ACM Great Lakes Symp. on VLSI, Apr.

2004.

[38] B.L. Hutchings, R. Franklin, and D. Carver, “Assisting Network Intrusion Detection with Reconfigurable Hardware,” Proc. 10th Ann. IEEE Symp.

Field-Programmable Custom Computing Machines (FCCM 02), IEEE CS Press, 2002, pp. 111-120.

[39] C. R. Clark, D. E. Schimmel “Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns.” Lecture Notes in Computer Science, Vol. 2778, Jan 2003

[40] C. R. Clark, D. E. Schimmel. “Scalable Pattern Matching for High Speed Networks.” Proc. of 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'04), 2004

[41] C. R. Clark, D. E. Schimmel. “A Pattern-Matching Co-Processor for Network Intrusion Detection Systems.” Proc. of IEEE International Conference on Field-Programmable Technology (FPT), Tokyo, Japan, Dec 2003

[42] Y. H. Cho, W. H. Mangione-Smith, “A Pattern Matching Coprocessor For Network Security.” Proc. of the 42nd Annual Conference on Design Automation, California, USA, Jun 2005.

[43] M. Gokhale, D. Dubois, A. Dubois, M. Boorman, S. Poole, and V. Hogsett.

“Granidt: Towards Gigabit Rate Network Intrusion Detection Technology.”

Lecture Notes in Computer Science, Vol. 2438, Jan 2002.