GPP-Grep: High-speed regular expression processing engine on general purpose processors

VC Valgenti, J Chhugani, Y Sun, N Satish… - Research in Attacks …, 2012 - Springer
VC Valgenti, J Chhugani, Y Sun, N Satish, MS Kim, C Kim, P Dubey
Research in Attacks, Intrusions, and Defenses: 15th International Symposium …, 2012Springer
Abstract Deep Packet Inspection (DPI) serves as a major tool for Network Intrusion Detection
Systems (NIDS) for matching datagram payloads to a set of known patterns that indicate
suspicious or malicious behavior. Regular expressions offer rich context for describing these
patterns. Unfortunately, large rule sets containing thousands of patterns coupled with high
link-speeds leave most regular expression matching methods incapable of matching at real-
time without specialized hardware. We present GPP-grep, an NFA-based regular expression …
Abstract
Deep Packet Inspection (DPI) serves as a major tool for Network Intrusion Detection Systems (NIDS) for matching datagram payloads to a set of known patterns that indicate suspicious or malicious behavior. Regular expressions offer rich context for describing these patterns. Unfortunately, large rule sets containing thousands of patterns coupled with high link-speeds leave most regular expression matching methods incapable of matching at real-time without specialized hardware.
We present GPP-grep, an NFA-based regular expression processing engine designed for maximum performance on General Purpose Processors. The primary contribution of GPP-grep is the utilization of the data-level parallelism available in modern CPUs to reduce the overhead incurred when tracking multiple states in NFA. In essence, we build and store the NFA in an architecture-friendly manner that exploits locality and then traverse the NFA maximizing the parallelism available and minimizing cache-misses and long-latency memory lookups. GPPgrep demonstrates 24–57× improvement in throughput over standard finite automata techniques on a set of up to 1200 regular-expressions culled from the NIDS Snort, and is within 1.3× of FPGA hardware-based techniques. GPP-grep achieves 2Gbps throughput on a dual-socket commodity CPU system allowing for line-speed evaluation on commodity hardware.
Springer
Showing the best result for this search. See all results