1 / 22

A Memory-Efficient Parallel String Matching for Intrusion Detection Systems

A Memory-Efficient Parallel String Matching for Intrusion Detection Systems. HyunJin Kim, Hyejeong Hong, Hong- Sik Kim, and Sungho Kang, Member, IEEE. Outline. INTRODUCTION PROPOSED PARALLEL STRING MATCHING Architecture of String Matcher Gray Code-Based Sorting Bit Position Grouping

sun
Download Presentation

A Memory-Efficient Parallel String Matching for Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Memory-Efficient Parallel String Matching forIntrusion Detection Systems HyunJin Kim, Hyejeong Hong, Hong-Sik Kim, and Sungho Kang, Member, IEEE

  2. Outline • INTRODUCTION • PROPOSED PARALLEL STRING MATCHING • Architecture of String Matcher • Gray Code-Based Sorting • Bit Position Grouping • PERFORMANCE EVALUATION

  3. INTRODUCTION • The DFA-based string matcher improves both regularity and scalability with lower time complexity [1]. • However, the memory requirements are proportional to the numbers of states and input symbols.

  4. INTRODUCTION • In order to reduce the memory requirements for the DFAbased string matching, the bit-split string matching using Aho- Corasickalgorithm [2] was proposed in [3]. • The bit-split string matching partitions target patterns into subgroups with a list of the lexicographically sorted target patterns.

  5. INTRODUCTION • Due to the biased bit transitions for each bit position group, the memory usage between FSM tiles in a string matcher could be unbalanced.

  6. PROPOSED PARALLEL STRING MATCHING • The architecture of the string matcher is based on the string matching engine in [3], which is summarized as follows: • In a string matcher, each homogeneous FSM tile takes 𝑛 bits of one character (or one byte) as an input per cycle. • In a state of each FSM tile, pattern identifications are stored as a partial match vector (PMV), where the 𝑖−th bit represents whether the 𝑖−th pattern is matched or not in the state.

  7. Architecture of String Matcher • Each state in an FSM tile has 2𝑛 pointers for the next state according to 𝑛-bit input. Therefore, the memory size of a string matcher is given by: • The main difference of the proposed string matcher from the string matching engine in [3] is that bits for an FSM tile input are selected among the input bits of one character (eight bits) using eight 8:1 multiplexers to support the bit position grouping.

  8. Gray Code-Based Sorting • Target patterns are sorted based on BRGC values to reduce bit transitions between successive patterns. • When the character code values in the prefixes of target patterns are not evenly distributed, the effectiveness of the gray codebased sorting is restricted.

  9. Bit Position Grouping • Let us assume that a string matcher has four FSM tiles with two input bits. In addition, “he,” “has,” “his,” and “hers” are assumed to be the patterns to be mapped. • For all string matchers in [3], a set of bit position groups for four FSM tiles is fixed as {(8, 7), (6, 5), (4, 3), (2, 1)}, where the number represents a bit position of one character from the LSB.

  10. Bit Position Grouping

  11. Bit Position Grouping • After grouping the MSB positions with other bits, an optimal set of bit position groups can be {(8, 4), (7, 3), (6, 5), (2, 1)}.

  12. Bit Position Grouping

  13. Bit Position Grouping • The bit position grouping for a string matcher has the constant time complexity of O (1). • When all target patterns to be mapped onto multiple string matchers, the time complexity can be O(𝑇 ). • The time complexity of pattern sorting can be O (𝑇 𝑙𝑜𝑔2𝑇 ).

  14. Bit Position Grouping • However, due to the large constant factor of the bit position grouping complexity, if the number of target patterns 𝑇 is not sufficiently large, the pattern sorting will not be dominant.

  15. PERFORMANCE EVALUATION • Target patterns were extracted from Snort v2.8 rules [4]. • Considering design analysis in [3], an FSM tile was assumed to take two bits of one character as an input.

  16. PERFORMANCE EVALUATION

  17. PERFORMANCE EVALUATION • In Table I, the number of adopted string matchers was reduced on average by 4.44%, in comparison with the existing bit-split string matching in [3].

  18. PERFORMANCE EVALUATION

  19. PERFORMANCE EVALUATION • For all patterns of Snort rule sets, total rule set with 7766 unique patterns was obtained, where the average number of characters in target patterns was 18.6. • The number of total unused states in all FSM tiles was reduced on average by 13.46%.

  20. PERFORMANCE EVALUATION • When a string matcher did not adopt the fixed set of bit position groups, the proposed algorithm mapped more target patterns onto the string matcher than the method in [3].

  21. PERFORMANCE EVALUATION • In Table III, the ratio of the string matchers that did not adopt the fixed set of bit position groups was up to 33.33%.

  22. PERFORMANCE EVALUATION • Considering the performance enhancements, the proposed parallel string matching is useful for reducing memory costs without losing regularity and scalability of the string matching.

More Related