Range hash for regular expression pre-filtering

Masanori Bando, N. Sertac Artan, Rihua Wei, Xiangyi Guo, H. Jonathan Chao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Recently, major Internet carriers and vendors successfully tested high-speed backbone networks at 100-Gbps line speed to support rapid growth of the Internet traffic demands. In addition, traffic is getting more concentrated to points such as data centers, and demand for protecting such high-speed networks from attack traffic is increasing. Deep Packet Inspection (DPI) with Regular Expression (RegEx) detection is the de facto defense mechanism agains network intrusions. However, current RegEx detection systems cannot keep up with the upcoming high-speed line rate. The RegExes consist of three types of components, exact strings, character classes (CC), and repetitions. Exact string and repetition matching have been widely studied by RegEx research community for better performance. Yet, although more than 55% of RegExes in Snort signature set contain at least one CC, hardware based solutions that focus on CC detection is limited. In this paper we propose a new CC detection architecture called Range Hash that is suitable for high-speed, compact CC detection. Additionally, we propose a practical application of the Range Hash architecture where it can be used as a pre-filter for a Regular Expression detection system to increase overall RegEx detection performance. Based on our hardware prototype design which runs at 250MHz, Range Hash can reach to 100-Gbps CC detection throughput with today's FPGA chips.

Original languageEnglish (US)
Title of host publicationANCS 2010 - Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
StatePublished - 2010
Event6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, ANCS 2010 - La Jolla, CA, United States
Duration: Oct 25 2010Oct 26 2010

Other

Other6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, ANCS 2010
CountryUnited States
CityLa Jolla, CA
Period10/25/1010/26/10

Fingerprint

HIgh speed networks
Internet
Hardware
Field programmable gate arrays (FPGA)
Inspection
Throughput

Keywords

  • Pre-Filter
  • Range
  • Range matching
  • Regular expressions

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Electrical and Electronic Engineering

Cite this

Bando, M., Artan, N. S., Wei, R., Guo, X., & Chao, H. J. (2010). Range hash for regular expression pre-filtering. In ANCS 2010 - Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems [5623834]

Range hash for regular expression pre-filtering. / Bando, Masanori; Artan, N. Sertac; Wei, Rihua; Guo, Xiangyi; Chao, H. Jonathan.

ANCS 2010 - Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems. 2010. 5623834.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bando, M, Artan, NS, Wei, R, Guo, X & Chao, HJ 2010, Range hash for regular expression pre-filtering. in ANCS 2010 - Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems., 5623834, 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, ANCS 2010, La Jolla, CA, United States, 10/25/10.
Bando M, Artan NS, Wei R, Guo X, Chao HJ. Range hash for regular expression pre-filtering. In ANCS 2010 - Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems. 2010. 5623834
Bando, Masanori ; Artan, N. Sertac ; Wei, Rihua ; Guo, Xiangyi ; Chao, H. Jonathan. / Range hash for regular expression pre-filtering. ANCS 2010 - Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems. 2010.
@inproceedings{4f8ce4b51d7d4541b08af7352245673f,
title = "Range hash for regular expression pre-filtering",
abstract = "Recently, major Internet carriers and vendors successfully tested high-speed backbone networks at 100-Gbps line speed to support rapid growth of the Internet traffic demands. In addition, traffic is getting more concentrated to points such as data centers, and demand for protecting such high-speed networks from attack traffic is increasing. Deep Packet Inspection (DPI) with Regular Expression (RegEx) detection is the de facto defense mechanism agains network intrusions. However, current RegEx detection systems cannot keep up with the upcoming high-speed line rate. The RegExes consist of three types of components, exact strings, character classes (CC), and repetitions. Exact string and repetition matching have been widely studied by RegEx research community for better performance. Yet, although more than 55{\%} of RegExes in Snort signature set contain at least one CC, hardware based solutions that focus on CC detection is limited. In this paper we propose a new CC detection architecture called Range Hash that is suitable for high-speed, compact CC detection. Additionally, we propose a practical application of the Range Hash architecture where it can be used as a pre-filter for a Regular Expression detection system to increase overall RegEx detection performance. Based on our hardware prototype design which runs at 250MHz, Range Hash can reach to 100-Gbps CC detection throughput with today's FPGA chips.",
keywords = "Pre-Filter, Range, Range matching, Regular expressions",
author = "Masanori Bando and Artan, {N. Sertac} and Rihua Wei and Xiangyi Guo and Chao, {H. Jonathan}",
year = "2010",
language = "English (US)",
isbn = "9781450303798",
booktitle = "ANCS 2010 - Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems",

}

TY - GEN

T1 - Range hash for regular expression pre-filtering

AU - Bando, Masanori

AU - Artan, N. Sertac

AU - Wei, Rihua

AU - Guo, Xiangyi

AU - Chao, H. Jonathan

PY - 2010

Y1 - 2010

N2 - Recently, major Internet carriers and vendors successfully tested high-speed backbone networks at 100-Gbps line speed to support rapid growth of the Internet traffic demands. In addition, traffic is getting more concentrated to points such as data centers, and demand for protecting such high-speed networks from attack traffic is increasing. Deep Packet Inspection (DPI) with Regular Expression (RegEx) detection is the de facto defense mechanism agains network intrusions. However, current RegEx detection systems cannot keep up with the upcoming high-speed line rate. The RegExes consist of three types of components, exact strings, character classes (CC), and repetitions. Exact string and repetition matching have been widely studied by RegEx research community for better performance. Yet, although more than 55% of RegExes in Snort signature set contain at least one CC, hardware based solutions that focus on CC detection is limited. In this paper we propose a new CC detection architecture called Range Hash that is suitable for high-speed, compact CC detection. Additionally, we propose a practical application of the Range Hash architecture where it can be used as a pre-filter for a Regular Expression detection system to increase overall RegEx detection performance. Based on our hardware prototype design which runs at 250MHz, Range Hash can reach to 100-Gbps CC detection throughput with today's FPGA chips.

AB - Recently, major Internet carriers and vendors successfully tested high-speed backbone networks at 100-Gbps line speed to support rapid growth of the Internet traffic demands. In addition, traffic is getting more concentrated to points such as data centers, and demand for protecting such high-speed networks from attack traffic is increasing. Deep Packet Inspection (DPI) with Regular Expression (RegEx) detection is the de facto defense mechanism agains network intrusions. However, current RegEx detection systems cannot keep up with the upcoming high-speed line rate. The RegExes consist of three types of components, exact strings, character classes (CC), and repetitions. Exact string and repetition matching have been widely studied by RegEx research community for better performance. Yet, although more than 55% of RegExes in Snort signature set contain at least one CC, hardware based solutions that focus on CC detection is limited. In this paper we propose a new CC detection architecture called Range Hash that is suitable for high-speed, compact CC detection. Additionally, we propose a practical application of the Range Hash architecture where it can be used as a pre-filter for a Regular Expression detection system to increase overall RegEx detection performance. Based on our hardware prototype design which runs at 250MHz, Range Hash can reach to 100-Gbps CC detection throughput with today's FPGA chips.

KW - Pre-Filter

KW - Range

KW - Range matching

KW - Regular expressions

UR - http://www.scopus.com/inward/record.url?scp=78650426575&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78650426575&partnerID=8YFLogxK

M3 - Conference contribution

SN - 9781450303798

BT - ANCS 2010 - Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

ER -