11
Optimization of Regular Expression Pattern Matching
Circuits on FPGA
Authors: Cheng-Hung Lin, Chih-Tsun Huang, Chang-Ping Jiang, and Shih-Chieh Chang
Publisher: Design,Automation and Test in Europe,2006.DATE’06 Proceedings
Present: Kia-Tso Chang
Date: November 15 2007
2
outline
Introduction Implementation of NFA Sharing prefix common sub-patterns Sharing scheme for infix and postfix
3
Introduction
3
In contrast to software-only NIDS, many studies proposed hardware architectures for accelerating attack detectionSidhu and Prasanna [1] proposed to construct an NFA (Nondeterministic Finite Automaton) from a regular expression to perform string matching. Hutchings, Franklin and Carver [2] developed amodule generator that combined common prefixes to reduce FPGA area.
4
Simple NFA and implementation in logic
4
5
Regular expressions
Regular expressions are a common way to express attack patterns.
1. The first type defines exact string patterns such as pattern, "Ahhhh My Mouth Is Open.”
2. The second type consists of meta-characters
6
Sharing prefix common sub-patterns
7
An erroneous implementation to share infix Dir
8
Sharing scheme for infix and postfix
9
An example of constraint 1
Abcdefgh
defpq
10
An example of constraint 2
10
abcdefgh
dedefpq
11
sharing gain
The sharing gain of a common sub-pattern is defined to be the number of characters in the sub-pattern multiplies by the number of regular expressions having the sub-pattern. For example, three regular expressions, “1Common1”, “2Common2”, and “3Common3” have the common sub-pattern “Common.” The sharing gain of the common sub-pattern is 18=6*3
12
Flow of regular expression modulegeneration
12
13
Logical structures for the proposedmeta-character components
14
Logical structures for the proposedmeta-character components
15
Implementation of NFA
16
The comparison among different approaches on Snort rule sets