Increasing Memory Efficiency of Hash-Based Pattern Matching for High-Speed Networks

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26230%2F21%3APU142890" target="_blank" >RIV/00216305:26230/21:PU142890 - isvavai.cz</a>

Výsledek na webu

<a href="https://ieeexplore.ieee.org/document/9609859" target="_blank" >https://ieeexplore.ieee.org/document/9609859</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/ICFPT52863.2021.9609859" target="_blank" >10.1109/ICFPT52863.2021.9609859</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Increasing Memory Efficiency of Hash-Based Pattern Matching for High-Speed Networks

Popis výsledku v původním jazyce

Increasing speed of network links continuously pushes up requirements on the performance of network security and monitoring systems, including their typical representative and its core function: an intrusion detection system (IDS) and pattern matching. To allow the operation of IDS applications like Snort and Suricata in networks supporting throughput of 100 Gbps or even more, a recently proposed pre-filtering architecture approximates exact pattern matching using hash-based matching of short strings that represent a given set of patterns. This architecture can scale supported throughput by adjusting the number of parallel hash functions and on-chip memory blocks utilized in the implementation of a hash table. Since each hash function can address every memory block, scaling throughput also increases the total capacity of the hash table. Nevertheless, the original architecture utilizes the available capacity of the hash table inefficiently. We therefore propose three optimization techniques that either reduce the amount of information stored in the hash table or increase its achievable occupancy. Moreover, we also design modifications of the architecture that enable resource-efficient utilization of all three optimization techniques together in synergy. Compared to the original pre-filtering architecture, combined use of the proposed optimizations in the 100 Gbps scenario increases the achievable capacity for short strings by three orders of magnitude. It also reduces the utilization of FPGA logic resources to only a third.

Název v anglickém jazyce

Increasing Memory Efficiency of Hash-Based Pattern Matching for High-Speed Networks

Popis výsledku anglicky

Increasing speed of network links continuously pushes up requirements on the performance of network security and monitoring systems, including their typical representative and its core function: an intrusion detection system (IDS) and pattern matching. To allow the operation of IDS applications like Snort and Suricata in networks supporting throughput of 100 Gbps or even more, a recently proposed pre-filtering architecture approximates exact pattern matching using hash-based matching of short strings that represent a given set of patterns. This architecture can scale supported throughput by adjusting the number of parallel hash functions and on-chip memory blocks utilized in the implementation of a hash table. Since each hash function can address every memory block, scaling throughput also increases the total capacity of the hash table. Nevertheless, the original architecture utilizes the available capacity of the hash table inefficiently. We therefore propose three optimization techniques that either reduce the amount of information stored in the hash table or increase its achievable occupancy. Moreover, we also design modifications of the architecture that enable resource-efficient utilization of all three optimization techniques together in synergy. Compared to the original pre-filtering architecture, combined use of the proposed optimizations in the 100 Gbps scenario increases the achievable capacity for short strings by three orders of magnitude. It also reduces the utilization of FPGA logic resources to only a third.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/VI20192022143" target="_blank" >VI20192022143: Flexibilní sonda pro realizaci zákonných odposlechů</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2021

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

2021 International Conference on Field-Programmable Technology, ICFPT 2021

ISBN

978-1-6654-2010-5

ISSN

—

e-ISSN

—

Počet stran výsledku

9

Strana od-do

185-193

Název nakladatele

Institute of Electrical and Electronics Engineers

Místo vydání

Auckland

Místo konání akce

Auckland

Datum konání akce

6. 12. 2021

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000792703100026