Regular Expression Matching for Reconfigurable Packet Inspection

1. Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜aoBispo, IoannisSourdis, Jo˜ao M.P. Cardoso and StamatisVassiliadis Publisher: IEEE Field-Programmable Technology (FPT) 2006 Present: Pei-Hua Huang Date: 2014/04/09 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

2. INTRODUCTION Although wildcards, Union and Concatenation operators have been efficiently implemented previously in hardware [3], the constrained repetitions are more complicated since they require keeping track of multiple states We introduce three new basic building blocks for constrained repetition operators, which can combine with previous research and achieve efficient designs Computer & Internet Architecture Lab CSIE, National Cheng Kung University

3. Exactly block Exactly block a{N} is actually the concatenation of N characters ‘a’ When a token i is received in the input, it enters the shift register(successive FFs and SRL16 resources)if there is a match of the ‘a’ character , and forwards it after N matches Computer & Internet Architecture Lab CSIE, National Cheng Kung University

4. AtLeastblock AtLeastblock a{N,} is actually the concatenation of N or more successive ‘a’ When a token occurs, the block outputs a token after N matches, and the output should remain active until the first mismatch Computer & Internet Architecture Lab CSIE, National Cheng Kung University

5. Between block Between block (a{N,M}), the interval between N and M ’a’ matches have to be detected After N simultaneous matches, the second counter is enabled. The second counter (counts M − N) outputs ‘1’ for M − N simultaneous matches Computer & Internet Architecture Lab CSIE, National Cheng Kung University

6. Example bba\n Computer & Internet Architecture Lab CSIE, National Cheng Kung University

7. restriction The above constraint repetition blocks support repetitions of only a single character They do not support repetitions of expressions that require more than one cycle to match Fortunately, more than 95% of the constrained repetitions included in Snort regular expressions are of single character Computer & Internet Architecture Lab CSIE, National Cheng Kung University

8. Reducing Area several techniques to reduce the area cost • Xilinx SRL16: • Many basic blocks, such as constrained repetitions, need to store a large number of states, which can also be implemented by shift registers • implement with SRL16s which require a single logic cell (a single LUT plus a flip-flop) to store 17 states • As an example, since an SRL16 and a FF can be mapped on a single logic cell, the expression a{1000} requires only 65 logic cells Computer & Internet Architecture Lab CSIE, National Cheng Kung University

9. Reducing Area • Prefix Sharing • a large number of regular expressions have common prefixes. Consequently, these prefixes can be shared • the common prefixes are implemented as complete regular expressions, and their outputs provide an input to the suffixes of the corresponding regular expressions Computer & Internet Architecture Lab CSIE, National Cheng Kung University

10. EVALUATION & COMPARISON using Xilinx Virtex2 and Virtex4 devices (Xilinx ISE 8.1 software has been used) using the rules of the Snort v2.4 open-source intrusion detection system, which has 509 unique regular expressions of 19,580 non-Meta characters evaluate the schemes and compare them with the related research, using a Performance Efficiency Metric (PEM), Computer & Internet Architecture Lab CSIE, National Cheng Kung University

11. Computer & Internet Architecture Lab CSIE, National Cheng Kung University

12. Computer & Internet Architecture Lab CSIE, National Cheng Kung University