FPGA-based regular expression matching acceleration system design and implementation

Abstract

The Internet environment is becoming more and more complex with the increasing scale of users and richness of network applications recent years. Malicious network flows are difficult to be inspected with only five-tuple information contained in the network packet header, and application layer traffic analysis has become an important basis for network security. Deep packet inspection (DPI) is an application layer-based flow monitoring and identification technology, which inspects and analyzes each network data packet through a regular expression matching system to check the compliance and security of network data packets. However, with the continuous increment of Internet bandwidth, limited by the computing capability of the processor and the computational complexity of regular expressions, the content recognition subsystem based on the central processing unit (CPU) is hard to identify malicious network flows in a high-speed network environment with large traffic so that the regular expression matching system became a bottleneck in network security. A filed programmable gate array (FPGA)-based regular expression matching acceleration system with high computing parallelism is proposed this paper. And the regular expressions are converted into state transition tables and transferred into Verilog HDL through lexical analysis. The data throughput and development efficiency are rapidly improved with innovation design upon hardware structure and compilation tools. The function and performance of the system were verified with simulation software and it is proved that the throughput of the system based on Xilinx Alevo U200 acceleration card will reach at over 50Gbps under condition that more than 10,000 regular expressions with thirtytransition-state implemented. This work will greatly improve the entire performance of the firewall and shorten the system iteration and upgrade cycle.