A key technique of network security inspection is by using the regular expression matching to locate the specific fingerprints of networking applications or attacks in the packet flows, and accordingly identify the underlying applications or attacks. However, due to the surge of various networking applications and attacks in recent years, even more fingerprints need to be investigated in this process, which leads to a high demand on a large memory space for regular expression matching. In addition, with the frequent upgrading of the network links nowadays, the network flow rate also increases dramatically. As a result, it demands the fast operation of regular expression matching accordingly with the enhanced throughput for network inspection. However, due to the limited space of the fast memory, the requirements on fast operations and large memory space are conflicting. On addressing this challenge, in this paper, we propose to use hybrid memory for regular expression matching. In specific, by investigating on the transition table state access probability through the Markov theory, it can be observed that there exist a number of states which are much more frequently accessed than others. Therefore, we devise a matching engine which is suitable for FPGA implementation with two-level memories, where the first-level memory uses the on-chip memory of FPGA to cache the frequently accessed state transitions, and the second-level memory, composed of slow and cheap DRAM, stores the whole state transitions. Furthermore, the L7-filter's regular expression patterns have been applied to obtain the state access probability, and different quantities of memory assignment approaches have also been investigated to evaluate the throughput.
Read full abstract