Nabi Sertac Artan

Multi-packet signature detection using prefix bloom filters

It is now a fact that manual defenses against worm epidemics are not practical. Recently, various automatic worm identification methods are proposed to be deployed at high-speed network nodes to respond in time to fast infection rates of worms. Unfortunately, these methods can easily be evaded by fragmentation of the worm packets. The straightforward defragmentation method is not applicable for these high-speed nodes, due to its high storage (memory) requirement. In this paper, this problem, namely the multi-packet signature detection problem is addressed using a defragmentation-free, space-efficient solution. A new data structure - prefix bloom filters - along with a new heuristic, called the chain heuristic is proposed to significantly reduce the storage requirement of the problem, so that multi-packet signature detection becomes feasible for high-speed network nodes.

CNoC: High-Radix Clos Network-on-Chip

Many high-radix network-on-chip (NoC) topologies have been proposed to improve network performance with an ever-growing number of processing elements (PEs) on a chip. We believe high-radix Clos network-on-chip (CNoC) is the most promising with its low average hop counts and good load-balancing characteristics. In this paper, we propose: 1) a high-radix router architecture with virtual output queue (VOQ) buffer structure and packet mode dual round-robin matching (PDRRM) scheduling algorithm to achieve high speed and high throughput in CNoC; 2) the design of hierarchical round-robin arbiter for high-radix high-speed NoC routers; and 3) a heuristic floor-planning algorithm to minimize the power consumption caused by the long wires. Experimental results show that the throughput of a 64-node three-stage CNoC under uniform traffic increases from 62% to 78% by replacing the baseline virtual channel routers with PDRRM VOQ routers. We also compared the delay, power, and area performance of the 64-node CNoC with other NoC topologies under various synthetic traffic patterns and SPLASH-2 benchmark traces. The simulation results show that in general CNoC improves the throughput, low-load delay, and energy efficiency over the compared NoC topologies.

Scalable lookahead regular expression detection system for deep packet inspection

Regular expressions (RegExes) are widely used, yet their inherent complexity often limits the total number of RegExes that can be detected using a single chip for a reasonable throughput. This limit on the number of RegExes impairs the scalability of todays RegEx detection systems. The scalability of existing schemes is generally limited by the traditional detection paradigm based on per-character-state processing and state transition detection. The main focus of existing schemes is on optimizing the number of states and the required transitions, but not on optimizing the suboptimal character-based detection method. Furthermore, the potential benefits of allowing out-of-sequence detection, instead of detecting components of a RegEx in the order of appearance, have not been explored. Lastly, the existing schemes do not provide ways to adapt to the evolving RegExes. In this paper, we propose Lookahead Finite Automata (LaFA) to perform scalable RegEx detection. LaFA requires less memory due to these three contributions: 1) providing specialized and optimized detection modules to increase resource utilization; 2) systematically reordering the RegEx detection sequence to reduce the number of concurrent operations; 3) sharing states among automata for different RegExes to reduce resource requirements. Here, we demonstrate that LaFA requires an order of magnitude less memory compared to todays state-of-the-art RegEx detection systems. Using LaFA, a single-commodity field programmable gate array (FPGA) chip can accommodate up to 25  000 (25 k) RegExes. Based on the throughput of our LaFA prototype on FPGA, we estimate that a 34-Gb/s throughput can be achieved.

Boundary Hash for Memory-Efficient Deep Packet Inspection

Network intrusion detection and prevention systems (NIDPSs) are critical for network security. The deep packet inspection (DPI) operation consumes a significant amount of resources in NIDPS. This is because to detect malicious activity DPI searches a database of signatures for each byte of every packet. In this paper, we develop a highly space-efficient data structure for hardware realization of minimal perfect hash functions (MPHFs). This data structure is simple to construct, requires 7 n bits to represent the MPHF for a set of n keys and allows high-speed DPI.

Highly Memory-Efficient LogLog Hash for Deep Packet Inspection

Todays network line rates reach speeds of 40 Gbps and are anticipated to reach 100 Gbps in the near future. These high speeds make Deep Packet Inspection (DPI) in Network Intrusion Detection and Prevention Systems (NIDPSs) very challenging. The DPI examines each incoming packet byte-by- byte and matches them against a set of predefined malicious signatures. One way to achieve high-speed DPI is to store all the signatures on high-speed on-chip memory. However, on-chip memory is limited and space-efficient data structures are needed to leverage precious on-chip memory efficiently. A hash table addressed by a Minimal Perfect Hash Function (MPHF) is such a high-speed, space efficient data structure. In this paper, we describe a highly memory-efficient MPHF, which requires 3.5 bits per key to facilitate access to the key in on-chip memory while allowing us to perform the expensive exact match operation only once. The proposed MPHF also has a low construction time.

A 10-Gbps High-Speed Single-Chip Network Intrusion Detection and Prevention System

Network Intrusion Detection and Prevention Systems (NIDPSs) are vital in the fight against network intrusions. NIDPSs search for certain malicious content in network traffic (i.e., signatures). Comparing all traffic to these signatures is a challenge for high-speed networks. In this paper, we present the implementation of a 10-Gbps hardware NIDPS and related design issues. This goal of signature detection at high-speed is achieved using a single FPGA, without any external memory. We also implemented and tested a proof-of-concept system with 1-Gbps traffic. A database to store and a Web server to display the intrusion alerts from the NIDPS were also developed for this system.

A Dynamic Load-Balanced Hashing Scheme for Networking Applications

Network applications often require large data storage resources, fast queries, and frequent updates. Hash tables support these operations with low costs, yet they cannot provide worst-case guarantees because of hash collisions. Also, the widely used, low-cost Dynamic Random Access Memory (DRAM) cannot suitably accommodate hash tables because DRAMs provide full bandwidth only if accessed in bursts, whereas hash tables require random access. In this paper, we propose a hash co-processor to support hash tables on DRAMs. The co-processor provides a load-balancing method to reduce the impact of hash collisions on the worst-case behavior by moving multiple keys within the hash table in constant time. This leads to a balanced distribution of keys in the hash table despite the collisions. Furthermore, the coprocessor guarantees the full DRAM bandwidth is always utilized by defining all fundamental hash table operations, namely insert, query, and delete, in terms of burst accesses. In the worst case, the query, delete, and insert operations take one, two, and three burst accesses, respectively. The proposed architecture reduces hash overflows by 35% compared to a naive hash table and for each key uses 6.42 bits of on-chip memory.