180 likes | 372 Views
Efficient Pattern Matching Algorithm for Memory Architecture. Author : Cheng-Hung Lin and Shih-Chieh Chang Publisher: IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS 2009 Presenter: Han-Chen Chen Date: 2010/03/03. Introduction.
E N D
Efficient Pattern Matching Algorithm for Memory Architecture Author: Cheng-Hung Linand Shih-Chieh Chang Publisher: IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS 2009 Presenter: Han-Chen Chen Date: 2010/03/03
Introduction • In order to accommodate the increasing number of attack patterns and meet the throughput requirement of networks, a successful network intrusion detection system must have a memory-efficient pattern-matching algorithm and hardware design. • By merging traditional AC algorithm states and constructing a new traversal mechanism on merged FSM, we can achieves 21% of memory reduction.
Review of AC Algorithm In a traditionalAC state machine, a final state stores thecorresponding match vector which is one-hot encoded. Pattern1 : bcdf Pattern2 : pcdg
Merge States Problem Pattern1 : bcdf Pattern2 : pcdg Merge similar transition 00 00 00 01 00 10 00 00 00 Input string : pcdf causes false positive results If we can memorize the precedent state entering the merged states, we can differentiate all merged states.
Data structure Pattern1 : bcdf Pattern2 : pcdg Match vector ->pathVec_ifFinal PathVec : record the path ifFinal : whether the state is final Only add an additional bit to each state.
Merge_FSM Definition: Two states are defined as pseudo-equivalent states if they have identical input transitions, identical failure transitions, and identical ifFinal bit, but different next states. State 2 and state 6 are similar. State 3 and state 7 are similar. 01_1 01_0 01_0 01_0 11_0 10_1 10_0 10_0 10_0
Construction of State Traversal Machine (1/2) • The construction of valid transition, failure transition, pathVec, and ifFinal functions. • Merging pseudo-equivalent states. Pattern 1: abcdef Pattern 2: apcdeg Pattern 3: awcdeh Add pattern : apcdeg
Construction of State Traversal Machine (2/2) Add pattern : awcdeh Merge similar states
State Traversal Mechanism on a Merge_FSM (1/3) In addition, we need a register, called preReg, to trace the precedent pathVec in each state. The width of preReg is equal to the width of pathVec. Each bit of the preReg also corresponds to a string pattern.
State Traversal Mechanism on a Merge_FSM (2/3) Pattern1 : bcdf Pattern2 : pcdg Input string : p c d f
State Traversal Mechanism on a Merge_FSM (3/3) Pattern1 : bcdf Pattern2 : pcdg Input string : p c d g
Loop Back in Merged States(1/2) Pattern : abcdef and wdebcg Input string “abcdebcdef” will be mistaken as a match of the pattern “abcdef”
Loop Back in Merged States(2/2) • Patterns: • abcdefghijklm andabcwsghidefxyklm • Using the longest common substringalgorithm, we canextract all of the common substrings of thesetwo patterns such as “abc”, “def”, “ghi” and “klm”. • Then, welabel the substrings “abc”, “def”, “ghi”, and “klm” as α, β, γ, δ.“abcdefghijklm” is labeled as “αβγδ ” while the sequence of substrings in “abcwsghidefxyklm” is labeled as “αγβδ”. • LCS result : αβδ or αγδ.we can merge the subsequences of α (“abc”), β (“def”)andδ (“klm”) or the subsequences of α(“abc”), γ(“ghi”),and δ (“klm”) • Output result
Hardware Architecture 32 patterns & 1024 transitions (states) ns_ctrl : All preReg bits are 0 or n_valid is 1 ns_sel =0 Not all preReg bits are 0 and n_valid is 0 ns_sel =1