gigabit rate packet pattern matching using tcam
Download
Skip this Video
Download Presentation
Gigabit Rate Packet Pattern-Matching Using TCAM

Loading in 2 Seconds...

play fullscreen
1 / 23

Gigabit Rate Packet Pattern-Matching Using TCAM - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

Gigabit Rate Packet Pattern-Matching Using TCAM. Fang Yu and Randy H. Katz UC Berkeley T. V. Lakshman Bell Laboratories, Lucent Technologies. Motivation. Numerous malicious probes and worms End-host based solution is not sufficient It is hard for all end users to apply patches quickly

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Gigabit Rate Packet Pattern-Matching Using TCAM' - dacian


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
gigabit rate packet pattern matching using tcam

Gigabit Rate Packet Pattern-Matching Using TCAM

Fang Yu and Randy H. Katz

UC Berkeley

T. V. Lakshman

Bell Laboratories, Lucent Technologies

motivation
Motivation
  • Numerous malicious probes and worms
  • End-host based solution is not sufficient
    • It is hard for all end users to apply patches quickly
    • Worms can contaminate millions of hosts within hours
  • Network based solution – network intrusion detection systems (NIDS)
    • Perform packet scanning for complicated worm patterns in the network
    • Stop worms from reaching end hosts
    • Easy to manage for network administrators
pattern matching for nids
Pattern Matching for NIDS
  • Thousands of complicated patterns
    • Patterns have variable lengths
    • Patterns with correlation
      • “abc” followed by “cde” within 3 bytes
    • Patterns with negation
      • “user” not followed by “|0a|” within 50 bytes
  • Require packet payload scanning
    • Not supported by most current network devices, which support packet header processing only
current pattern matching schemes
Current Pattern Matching Schemes
  • Software based solutions
    • Speed is slow
  • FPGA solutions
    • Build large DFA or NFA for all patterns
    • Build a KMP based search engine for each pattern
  • Bloom Filters
    • One bloom filter for each pattern length
    • Not scalable when pattern lengths vary dramatically
ternary cam tcam
Ternary-CAM (TCAM)
  • Fully associative memory compare input string with all the entries in parallel
    • If multiple matches, report the index of the first match
  • Each cell takes one of three logic states
    • ‘0’, ‘1’, and ‘?’(don’t care)
  • Current TCAM technology
    • Fast Match Time:4 ns
    • Size: 1-2MB
    • Width configurable
      • 1024 entries *1024 bytes width
      • 2048 entries *512 bytes width

cell

entry

width

pattern matching with tcam
Pattern Matching with TCAM
  • Put all the patterns into the TCAM
    • Assume patterns are less or equal to the TCAM width
    • If less than the TCAM width, pad with ‘?’
    • Order the patterns according to lengths in reverse order
      • When matching entry ABC, report matching of both pattern ABC and AB
  • Shift one byte each time
analysis
Analysis
  • Scan speed:
    • 4 ns per TCAM lookup, shift one byte at a time
    • 8bits/4ns =2 Gbps worst case scan rate
  • Limitation: require all the patterns to be shorter or equal to the TCAM width
    • Set the TCAM width >= longest pattern’s length
      • Pad all short patterns to TCAM width
      • Waste TCAM resources
    • Can we set TCAM width smaller and cut long patterns into smaller patterns?
long patterns
Long Patterns

Cut long patterns into smaller patterns

TCAM width w=4 bytes

DEFGABCDL is split into DEFG, ABCD, and L

Pad the last partial pattern with the tail of the second last partial pattern

DEFGABCDL is split into DEFG, ABCD, and BCDL

DEFGABCDL

DEFGABCDL

DEFG

DEFG

ABCD

ABCD

L

BCDL

Short partial patterns, many TCAM hits

concatenate partial patterns into long patterns
Concatenate Partial Patterns into Long Patterns

Patterns:

ABCDABCD

DEFGABCDL

DEFGDEF

DEF

,

Matching Table

Partial Hit List (PHL)

correlated patterns
Correlated Patterns
  • One pattern after another
    • E.g. “ABCD” followed by “DEF” within 10 bytes
    • The matching result of “ABCD” has to be in PHL for 10 positions
matching process
Matching Process
  • TCAM reports a miss
    • No extra memory lookup
  • TCAM reports a hit
    • If it is a partial pattern
      • For every item in PHL
        • One memory lookup into matching table to see whether it generates a valid pattern
  • Examples based on statistical analysis
    • n = 2000, mi = 200 bytes, w =4 bytes. Associate hit rate is 2.2e-5, PHL size is 8.8e-5
    • w = 8 bytes, associate hit rate is 2.6e-15, PHL size is 2.08e-14

Associate hit rate

PHL size

malicious attack
When j = 1, probability is:

1-

E.g., n = 1000 and m=4, it is 0.029

When j increases, the probability increases. If j=m, then probability =1

Window: distance between two correlated patterns

After matching a pattern, what is possibility to match another at window size j positions later?

Malicious Attack?

.

  • Worst case PHL size is at least: window size / m
simulation results on clamav
Simulation Results on ClamAV
  • ClamAv virus signature database
    • Version 0.15, which contains simple patterns only
    • 1768 patterns, varying from 6 bytes to 2189 bytes
effect of tcam width
Effect of TCAM Width
  • Total TCAM space:
    • Increase when w increases, because of padding
  • Mapping Table Size
    • Decreases as w increases because of fewer partial patterns
phl size on real data
PHL Size on Real Data
  • For each packet, record average and maximum PHL size
    • Avg: mean of the average PHL size over all packets
    • AvgMax: mean of the maximum PHL sizes
    • Max: maximum PHL size over all packets
simulation results on snort
Simulation Results on Snort
  • SNORT system (v2.1.2) has 1991 rules
    • 1039 simple patterns
    • 527 correlated patterns
      • Up to 7 sub-patterns
  • Set TCAM width as 128 bytes
    • Patterns fit into a TCAM size of 295KB
conclusions
Conclusions
  • Fast speed pattern matching is essential for building effective defenses against virus
  • Multiple pattern matching with TCAM
    • Achieve multi-gigabit rate
    • Search for thousands, or tens of thousands patterns in parallel
    • Support long patterns, correlated patterns, and also patterns with negation, wildcards
    • Can be extended to support higher rates with larger TCAMs
long patterns1
Long Patterns

What if pattern is longer than the width of TCAM?

Split it into multiple partial patterns

For example, TCAM width k=4

L ? ? ?

Short partial patterns, many TCAM hits

statistical analysis
Statistical Analysis
  • Example
    • n = 2000, mi = 200 bytes, w =4 bytes. Associate hit rate is 2.2e-5, PHL size is 8.8e-5
    • w = 8 bytes, associate hit rate is 2.6e-15, PHL size is 2.08e-14
  • Assume random input string, independent patterns
    • Number of patterns: n
    • Pattern size: mibytes for pattern i
    • TCAM width: w
    • Total entries for partial items in TCAM:
    • Associate hit rate is
    • Ignoring the dependency between neighboring positions,

PHL size is

synthesized worst case packets
Synthesized “Worst-case” Packets
  • Four sets of synthesized data
    • 1, 10, and 100 randomly inserted virus patterns per packet
memory lookup process
Memory Lookup Process
  • TCAM reports a miss
    • No extra memory lookup
    • Memory lookup process is idle
  • TCAM reports a hit
    • One memory lookup in the combined pattern table
    • Lookups in matching table if PHL is not empty
effects of memory ratio on scan rate
Effects of Memory Ratio on Scan Rate
  • Scan ratio
    • Total scanning time (including memory lookups) vs. the time spent on TCAM lookups only.
    • E.g., scan ratio=2  total scanning rate = TCAM access rate /2
  • Memory ratio
    • SRAM to TCAM access times
ad