Recently, the string matching task became a performance bottleneck in network intrusion detection, anti-virus, anti-worms and other signature-based information security systems. Unlike the firewall, NIDS examines not only packet headers, but also the packet bodies, that is, performs the deep packet inspection (DPI). The multi-pattern string matching task is a specific type of string matching functionality performed in DPI systems to search an input stream for a set of patterns rather than a single pattern. Due to rising traffic rates, increasing number and sophistication of attacks and the collapse of Moore's law for sequential processing, traditional software solutions can no longer meet the high requirements of today’s security challenges. Therefore, hardware approaches are proposed to accelerate pattern matching. Combining the flexibility of software and the near-ASIC performance, reconfigurable hardware devices based on Field Programmable Gate Arrays (FPGA) have become increasingly popular for this purpose. There are three main approaches to fulfill the computation-intensive multi-pattern string matching task using FPGA. The techniques (and underlying technologies) of these approaches are: content addressable memory (based on digital comparators), Bloom filter (based on hash-functions) and Aho-Corasick Algorithm (based on finite automata). This article is devoted to the investigation of the second approach - Bloom filter. The features (advantages and disadvantages) of this approach in terms of resource costs, speed/throughput parameters, as well as scaling parameters are explored. The basic scheme and its modifications are considered. The performance characteristics, problems and challenges of implementing this approach on reconfigurable accelerators as well as ways to overcome them are analyzed. The obtained results allow improving the technical parameters when designing pattern matching modules, which are speed-critical components of the signature-based information protection systems hardware. The knowledge obtained in this study allows developers to create more effective reconfigurable means for information security.
Read full abstract