An FPGA-Based Algorithm to Accelerate Regular Expression Matching

• Published in: Security, Privacy, and Anonymity in Computation, Communication, and Storage Vol. 10658; pp. 424 - 434
• Main Authors: Yang, Jiajia, Jiang, Lei, Bai, Xu, Dai, Qiong, Su, Majing, Bhuiyan, Md Zakirul Alam
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2017; Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Deep Packet Inspection; DFA; FPGA; NIDS; Regular expression matching
• ISBN: 9783319723945; 3319723944
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-72395-2_39

State-of-the-art Network Intrusion Detection Systems (NIDSs) use regular expressions (REs) to detect attacks or vulnerabilities. In order to keep up with the ever-increasing speed, more and more NIDSs need to be implemented by dedicated hardware. A major bottleneck is that NIDSs scan incoming packets just byte by byte, which greatly limits their throughput. Besides, huge memory consumption limits it’s practicability. In this paper, we propose an algorithm for regular expression matching that consumes multiple characters per time while maintaining memory efficiency. It includes 3 ideas: (1) top-k state extraction; (2) variable-stride acceleration; (3) DFA compression. We tested our algorithm on several real-life RE rulesets. The experimental results show that it achieves good performance on both memory efficiency and high throughput. It could achieve 14–22x efficiency ratio than the original DFA on Bro and Snort rulesets, and 2–7x efficiency ratio than the original DFA on l7_filter ruleset.