1 / 14

Author: Weirong Jiang and Viktor K. Prasanna Publisher:

Field-Split Parallel Architecture for High Performance Multi-Match Packet Classification Using FPGAs. Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA  2009 Presenter: Chin-Chung Pan Date: 2009/10/14. Outline.

hayes
Download Presentation

Author: Weirong Jiang and Viktor K. Prasanna Publisher:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Field-Split Parallel Architecture for High Performance Multi-Match Packet Classification Using FPGAs Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA  2009 Presenter: Chin-Chung Pan Date:2009/10/14

  2. Outline • Introduction • Analysis of Snort Header Rule Sets • Algorithms and Architecture • The Field-Split Bit Vector (FSBV) Algorithm • Basic Architecture • Supporting Snort Features • Performance Evaluation

  3. Introduction • Traditional network applications such as firewall processing require reporting only the highest-priority matching rule, which we call best-match packetclassification. • In contrast, network intrusion detection systems (NIDS) needs multi-match packet classification to find all rule headers that match a given packet. • Our work focuses on the multi-match packet header classification in NIDS.

  4. Analysis of Snort Header Rule Sets

  5. Algorithms and Architecture

  6. Algorithms and Architecture - The Field-Split Bit Vector (FSBV) Algorithm • Applying the FSBV algorithm for matching the DP field of a packet against three rules.

  7. Algorithms and Architecture - Basic Architecture

  8. Algorithms and Architecture - Supporting Snort Features • We examined the usage of those unique features provided by Snort rules, including the value list, the negation operator, and the range operator for port fields. • The negation operator “!”. For example, ![60,80] indicates any port number except 60 and 80. • The range operator. For example, 60:80 indicates port number from 60 to 80.

  9. Algorithms and Architecture - Supporting Snort Features

  10. Algorithms and Architecture - Supporting Snort Features Rule Set Rule Other File DP(4-bit) Range R1 … 11*0 12、14 R2 … 0101 5 DP of the input packet: 1 1 0 0 Perform match R3 … 110* 12、13 1 0 1 0 1 R4 … 0111、100* 7~9 & 1 1 1 1 0 & 1 1 1 0 1 & Build bit vectors R1 R2 R3 R4 R’4 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 1 0 0 0 0 1 0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 1 0 1 OR 1 1 0 0 1 0 1 0 1 0 1 0 0 1 1 1 1 1 0 1 0 1

  11. Algorithms and Architecture - Supporting Snort Features • In N rules, a field of the ith rule is specified as a list of M values, the ith bit of all bit vectors for this field is expanded to M bits. N bits N+M-1 bits N+M-1 bits

  12. Algorithms and Architecture - Supporting Snort Features • Most of port fields are specified as a single value. Over 85% of the unique values for SP/DP fields are specified as a single value, while only around 10% of port field values are specified as ranges. • Current Snort rule set uses few value lists.

  13. Performance Evaluation - Results on Synthetic Rules

  14. Performance Evaluation - Results on Snort Rules

More Related