Efficient Pattern Matching Algorithm for Memory Architecture Author
- Slides: 18
Efficient Pattern Matching Algorithm for Memory Architecture Author: Cheng-Hung Lin and Shih-Chieh Chang Publisher: IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS 2009 Presenter: Han-Chen Date: 2010/03/03 1
Introduction o o In order to accommodate the increasing number of attack patterns and meet the throughput requirement of networks, a successful network intrusion detection system must have a memory-efficient pattern-matching algorithm and hardware design. By merging traditional AC algorithm states and constructing a new traversal mechanism on merged FSM, we can achieves 21% of memory reduction. 2
Review of AC Algorithm Pattern 1 : bcdf In a traditional AC state machine, a final state stores the corresponding match vector which is one-hot encoded. Pattern 2 : pcdg input Next state failure Match vector State 0 b 1 0 00 State 0 p 5 0 00 State 1 c 2 0 00 State 2 d 3 0 00 State 3 f 4 0 01 State 5 c 6 0 00 State 6 d 7 0 00 State 7 g 8 0 10 3
Merge States Problem Pattern 1 : bcdf Pattern 2 : pcdg 00 00 01 Merge similar transition 10 00 00 00 Input string : pcdf causes false positive results If we can memorize the precedent state entering the merged states, we can differentiate all merged states. 4
Data structure Pattern 1 : bcdf Pattern 2 : pcdg Match vector ->path. Vec_if. Final Path. Vec : record the path if. Final : whether the state is final Only add an additional bit to each state. 5
Merge_FSM Definition: Two states are defined as pseudo-equivalent states if they have identical input transitions, identical failure transitions, and identical if. Final bit, but different next states. State 2 and state 6 are similar. State 3 and state 7 are similar. 11_0 01_0 10_0 01_1 10_1 6
Construction of State Traversal Machine (1/2) 1. The construction of valid transition, failure transition, path. Vec, and if. Final functions. 2. Merging pseudo-equivalent states. Pattern 1: abcdef Pattern 2: apcdeg Pattern 3: awcdeh Add pattern : apcdeg 7
Construction of State Traversal Machine (2/2) Add pattern : awcdeh Merge similar states 8
State Traversal Mechanism on a Merge_FSM (1/3) In addition, we need a register, called pre. Reg, to trace the precedent path. Vec in each state. The width of pre. Reg is equal to the width of path. Vec. Each bit of the pre. Reg also corresponds to a string pattern. 9
State Traversal Mechanism on a Merge_FSM (2/3) Pattern 1 : bcdf Pattern 2 : pcdg Input string : p c d f 10
State Traversal Mechanism on a Merge_FSM (3/3) Pattern 1 : bcdf Pattern 2 : pcdg Input string : p c d g 11
Loop Back in Merged States(1/2) Pattern : abcdef and wdebcg Input string “abcdef” will be mistaken as a match of the pattern “abcdef” 12
Loop Back in Merged States(2/2) Patterns: abcdefghijklm and abcwsghidefxyklm 1. Using the longest common substring algorithm, we can extract all of the common substrings of these two patterns such as “abc”, “def”, “ghi” and “klm”. 2. Then, we label the substrings “abc”, “def”, “ghi”, and “klm” as α, β, γ, δ. “abcdefghijklm” is labeled as “αβγδ ” while the sequence of substrings in “abcwsghidefxyklm” is labeled as “αγβδ ”. 3. LCS result : αβδ or αγδ. we can merge the subsequences of α (“abc”), β (“def”) andδ (“klm”) or the subsequences of α (“abc”), γ(“ghi”), and δ (“klm”) 4. Output result 13
Hardware Architecture 32 patterns & 1024 transitions (states) ns_ctrl : All pre. Reg bits are 0 or n_valid is 1 ns_sel =0 Not all pre. Reg bits are 0 and n_valid is 0 ns_sel =1 14
Performance (1/3) 15
Performance (2/3) 16
Performance (3/3) 17
Thanks for your listening 18