a memory efficient parallel string matching for intrusion detection systems
Download
Skip this Video
Download Presentation
A Memory-Efficient Parallel String Matching for Intrusion Detection Systems

Loading in 2 Seconds...

play fullscreen
1 / 22

A Memory-Efficient Parallel String Matching for Intrusion Detection Systems - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

A Memory-Efficient Parallel String Matching for Intrusion Detection Systems. HyunJin Kim, Hyejeong Hong, Hong- Sik Kim, and Sungho Kang, Member, IEEE. Outline. INTRODUCTION PROPOSED PARALLEL STRING MATCHING Architecture of String Matcher Gray Code-Based Sorting Bit Position Grouping

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' A Memory-Efficient Parallel String Matching for Intrusion Detection Systems' - sun


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a memory efficient parallel string matching for intrusion detection systems

A Memory-Efficient Parallel String Matching forIntrusion Detection Systems

HyunJin Kim, Hyejeong Hong, Hong-Sik Kim, and Sungho Kang, Member, IEEE

outline
Outline
  • INTRODUCTION
  • PROPOSED PARALLEL STRING MATCHING
    • Architecture of String Matcher
    • Gray Code-Based Sorting
    • Bit Position Grouping
    • PERFORMANCE EVALUATION
introduction
INTRODUCTION
  • The DFA-based string matcher improves both regularity and scalability with lower time complexity [1].
  • However, the memory requirements are proportional to the numbers of states and input symbols.
introduction1
INTRODUCTION
  • In order to reduce the memory requirements for the DFAbased string matching, the bit-split string matching using Aho- Corasickalgorithm [2] was proposed in [3].
  • The bit-split string matching partitions target patterns into subgroups with a list of the lexicographically sorted target patterns.
introduction2
INTRODUCTION
  • Due to the biased bit transitions for each bit position group, the memory usage between FSM tiles in a string matcher could be unbalanced.
proposed parallel string matching
PROPOSED PARALLEL STRING MATCHING
  • The architecture of the string matcher is based on the string matching engine in [3], which is summarized as follows:
    • In a string matcher, each homogeneous FSM tile takes 𝑛 bits of one character (or one byte) as an input per cycle.
    • In a state of each FSM tile, pattern identifications are stored as a partial match vector (PMV), where the 𝑖−th bit represents whether the 𝑖−th pattern is matched or not in the state.
architecture of string matcher
Architecture of String Matcher
  • Each state in an FSM tile has 2𝑛 pointers for the next state according to 𝑛-bit input. Therefore, the memory size of a string matcher is given by:
  • The main difference of the proposed string matcher from the string matching engine in [3] is that bits for an FSM tile input are selected among the input bits of one character (eight bits) using eight 8:1 multiplexers to support the bit position grouping.
gray code based sorting
Gray Code-Based Sorting
  • Target patterns are sorted based on BRGC values to reduce bit transitions between successive patterns.
  • When the character code values in the prefixes of target patterns are not evenly distributed, the effectiveness of the gray codebased sorting is restricted.
bit position grouping
Bit Position Grouping
  • Let us assume that a string matcher has four FSM tiles with two input bits. In addition, “he,” “has,” “his,” and “hers” are assumed to be the patterns to be mapped.
  • For all string matchers in [3], a set of bit position groups for four FSM tiles is fixed as {(8, 7), (6, 5), (4, 3), (2, 1)}, where the number represents a bit position of one character from the LSB.
bit position grouping2
Bit Position Grouping
  • After grouping the MSB positions with other bits, an optimal set of bit position groups can be {(8, 4), (7, 3), (6, 5), (2, 1)}.
bit position grouping4
Bit Position Grouping
  • The bit position grouping for a string matcher has the constant time complexity of O (1).
  • When all target patterns to be mapped onto multiple string matchers, the time complexity can be O(𝑇 ).
  • The time complexity of pattern sorting can be O (𝑇 𝑙𝑜𝑔2𝑇 ).
bit position grouping5
Bit Position Grouping
  • However, due to the large constant factor of the bit position grouping complexity, if the number of target patterns 𝑇 is not sufficiently large, the pattern sorting will not be dominant.
performance evaluation
PERFORMANCE EVALUATION
  • Target patterns were extracted from Snort v2.8 rules [4].
  • Considering design analysis in [3], an FSM tile was assumed to take two bits of one character as an input.
performance evaluation2
PERFORMANCE EVALUATION
  • In Table I, the number of adopted string matchers was reduced on average by 4.44%, in comparison with the existing bit-split string matching in [3].
performance evaluation4
PERFORMANCE EVALUATION
  • For all patterns of Snort rule sets, total rule set with 7766 unique patterns was obtained, where the average number of characters in target patterns was 18.6.
  • The number of total unused states in all FSM tiles was reduced on average by 13.46%.
performance evaluation5
PERFORMANCE EVALUATION
  • When a string matcher did not adopt the fixed set of bit position groups, the proposed algorithm mapped more target patterns onto the string matcher than the method in [3].
performance evaluation6
PERFORMANCE EVALUATION
  • In Table III, the ratio of the string matchers that did not adopt the fixed set of bit position groups was up to 33.33%.
performance evaluation7
PERFORMANCE EVALUATION
  • Considering the performance enhancements, the proposed parallel string matching is useful for reducing memory costs without losing regularity and scalability of the string matching.
ad