Vlastimil Kosar

Netbench: Framework for Evaluation of Packet Processing Algorithms

Many algorithms and hardware architectures are proposed to increase processing speed of time-critical operations in the field of longest prefix matching, packet classification and regular expression matching. Despite this fact, there is still no free and easily extensible platform for evaluation, comparison and experiments with existing approaches. We propose the Net bench Framework which aims to serve as an independent platform for researchers seeking the easiest way to implement their algorithms, as well as the comparison of their algorithms with reference implementations of other approaches. The framework is provided as an open source and can be easily extended to support new algorithms or new comparison methodology. Net bench is publicly available at http://www.fit.vutbr.cz/netbench.

NFA reduction for regular expressions matching using FPGA

Many algorithms have been proposed to accelerate regular expression matching via mapping of a nondeterministic finite automaton into a circuit implemented in an FPGA. These algorithms exploit unique features of the FPGA to achieve high throughput. On the other hand the FPGA poses a limit on the number of regular expressions by its limited resources. In this paper, we investigate applicability of NFA reduction techniques - a formal aparatus to reduce the number of states and transitions in NFA prior to its mapping into FPGA. The paper presents several NFA reduction techniques, each with a different reduction power and time complexity. The evaluation utilizes regular expressions from Snort and L7 decoder. The best NFA reduction algorithms achieve more than 66% reduction in the number of states for a Snort ftp module. Such a reduction translates directly into 66% LUT-FF pairs saving in the FPGA.

Efficient mapping of nondeterministic automata to FPGA for fast regular expression matching

With the growing number of viruses and network attacks, Intrusion Detection Systems have to match a large set of regular expressions at multi-gigabit speed to detect malicious activities on the network. Many algorithms and architectures have been designed to accelerate pattern matching, but most of them can be used only for strings or a small set of regular expressions. We propose new NFA-Split architecture, which reduces the amount of consumed FPGA resources in order to match larger set of regular expressions at multi-gigabit speed. The proposed reduction uses model of nondeterministic and deterministic automaton for effective mapping of regular expressions to FPGA. A new algorithm is designed to split the nondeterministic automaton transition table in order to map a part of the table into memory. The algorithm can place more than 49% of transition table to memory, which reduces the amount of look-up tables by more than 43% and flip-flops by more than 38% for all selected sets of regular expressions. Moreover, a sparse transition table is mapped to memory with overlapped rows, which enables to store the table in a highly compact form.

NFA split architecture for fast regular expression matching

Many hardware architectures have been designed to accelerate regular expression matching in network security devices, but most of them can achieve high throughput only for strings or small sets of regular expressions. We propose new NFA Split architecture which reduces the amount of consumed FPGA resources in order to match larger set of regular expressions. New algorithm is introduced to find non-collision sets of states and determine part of nondeterministic automaton which can be mapped to the memory based architecture. For all analysed sets of regular expressions, the algorithm was able to find non-collision sets with 67.8 % of states in average and reduces the amount of consumed flip-flops to 37.6 % and look-up tables to 63.9 % in average.

On NFA-split architecture optimizations

Fast regular expression matching is widely used in many network devices. The NFA-Split hardware architecture is an efficient approach to match large set of regular expression at multigigabit speed with very low FPGA logic utilization. We propose optimizations of NFA-Split architecture, which further reduce FPGA logic utilization and significantly reduce memory utilization. The amount of utilized BlockRAMs was reduced by 97% for a Snort web-cgi module and FPGA logic utilization was reduced by 34% for a Snort backdoor module. Moreover, we propose new NFA-Split construction algorithm which decrease overall construction time up to 39 times.

A new embedded platform for rapid development of network applications

This paper proposed a platform for rapid prototyping of high-speed and low-power embedded applications in networking. The concept utilizes the FPGA with the embedded processor to benefit from software flexibility and high performance of hardware processing. In comparison with the NetFPGA-cube, the proposed uG4-150 platform has significantly lower power consumption, cost and size.

Hacking NetCOPE to Run on NetFPGA-10G

This paper describes the Net COPE platform porting issues to the new generation of the Net FPGA(-10G) cards. Achieved throughput and CPU utilization for various length of packets was measured. It was shown that we are able to reach maximum throughput of 12Gbps without any significant processor load. Xilinx ISE reports approximately 30% of the Net FPGA chip utilization for design running on 200MHz.

Evolutionary circuit design for fast FPGA-based classification of network application protocols

Graphical abstractDisplay Omitted The evolutionary design can produce fast and efficient implementations of digital circuits. It is shown in this paper how evolved circuits, optimized for the latency and area, can increase the throughput of a manually designed classifier of application protocols. The classifier is intended for high speed networks operating at 100Gbps. Because a very low latency is the main design constraint, the classifier is constructed as a combinational circuit in a field programmable gate array (FPGA). The classification is performed using the first packet carrying the application payload. The improvements in latency (and area) obtained by Cartesian genetic programming are validated using a professional FPGA design tool. The quality of classification is evaluated by means of real network data. All results are compared with commonly used classifiers based on regular expressions describing application protocols.

Reduction of FPGA resources for regular expression matching by relation similarity

Intrusion Detection Systems have to match large sets of regular expressions to detect malicious traffic on multi-gigabit networks. Many algorithms and architectures have been proposed to accelerate pattern matching, but formal methods for reduction of Nondeterministic finite automata have not been used yet. We propose to use reduction of automata by similarity to match larger set of regular expressions in FPGA. Proposed reduction is able to decrease the number of states by more than 32% and the amount of transitions by more than 31%. The amount of look-up tables is reduced by more than 15% and the amount of flip-flops by more than 34%.

Hardware architecture for the fast pattern matching

As the speed of current computer networks increases, it is necessary to protect networks by security systems such as firewalls and Intrusion Detection Systems (IDS) operating at multigigabit speeds. As attacks on modern networks became more and more complex, it is necessity to detect attack placed not only in single packet but at the level of network flows. Pattern matching in the network flows is the time-critical operation of many modern IDS. Most of the regularly used patterns are described by the regular expression. This work describes advanced hardware architecture for the fast regular expression matching based on the perfect hashing. The proposed architecture is scalable and can achieve multigigabit throughput per network flow.