a pattern-matching scheme with high throughput performance and low memory requirement
DESCRIPTION
A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement. Author: Tsern-Huei Lee , Nai-Lun Huang Publisher : TRANSACTIONS ON NETWORKING,2012 Presenter : Jia-Wei,Yu Date: 2013/3/6. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/1.jpg)
A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement
Author: Tsern-Huei Lee, Nai-Lun HuangPublisher: TRANSACTIONS ON NETWORKING,2012Presenter: Jia-Wei,Yu
Date: 2013/3/6
1
![Page 2: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/2.jpg)
Introduction
2
• This paper presents a pattern-matching architecture with high throughput performance and low memory requirements.
• Similar to the WM algorithm.
• Shift table is replaced by Membership query module and Master bitmap.
• Prefix table is replaced by compressed AC.
![Page 3: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/3.jpg)
Architecture
3
![Page 4: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/4.jpg)
Pre-filter design (1/6)• Pattern set : abcde, cdefg, ijklmn
• Window = 5, block = 2
4
![Page 5: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/5.jpg)
Pre-filter design (2/6)
• Input data :xyzcdabcde• MB (master bitmap) = 1111
• xyzcdabcde • QB (query bitmap) = 1010• MB = MB & QB = 1010
5
![Page 6: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/6.jpg)
Pre-filter design (3/6)
MB = 1010
Shift = m-k+1-r full match ? shift = 5 – 2 + 1 – 3 = 1 => 1 : full match , 0 : do nothing
MB = MB >> 1MB = 1101Filled with 1’s for the holes left by the shift.
6
![Page 7: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/7.jpg)
Pre-filter design (4/6)
• xyzcdabcde• MB = 1101• QB = 0000• MB = MB & QB = 0000 , shift 4• => MB = 1111
7
![Page 8: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/8.jpg)
Pre-filter design (5/6)
• xyzcdabcde• MB = 1111• QB = 0101• MB = MB & QB = 0101 , do full match , shift 2• => MB = 1101
8
![Page 9: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/9.jpg)
Pre-filter design (6/6)
• Input data : xxxdefxxx• MB = 1111 , QB = 0010• MB = MB & QB = 0010 , we can shift 1 byte• Possible : xxdex• Impossible : xdexx , dexxx
• Input data : xxxdefxxx• MB = 1001 , QB = ????• Can shift 3 bytes or more. 9
![Page 10: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/10.jpg)
Verification engine (1/5)
10
![Page 11: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/11.jpg)
Verification engine (2/5)
• Branch state • First single child state• Leaf state / match state
11
![Page 12: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/12.jpg)
Verification engine (3/5)
12
![Page 13: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/13.jpg)
Verification engine (4/5)
• Our design needs two bits for every explicit state to indicate its type (branch, single-child, or leaf) and another bit to indicate whether or not a match is found in the state.
13
![Page 14: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/14.jpg)
Verification engine (5/5)
• Compacted_Patterns
14
![Page 15: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/15.jpg)
Experimental result (1/6)
15
• The experiments are conducted on a PC with an Intel Pentium 4 CPU operating at 2.80 GHz with 512 MB of RAM, 8 kB L1 data cache, and 512 kB L2 cache.
• The entire ClamAV pattern set is used, containing 29179 string signatures. The minimum, maximum, average, and total lengths of the signatures are 10, 210, 66.43, and 1938433 B, respectively.
• The total number of states generated by the AC algorithm is 1844895.
• Input data : 2.2 MB
![Page 16: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/16.jpg)
Experimental result (2/6)
16
![Page 17: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/17.jpg)
Experimental result (3/6)
17
![Page 18: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/18.jpg)
Experimental result (4/6)
18
![Page 19: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/19.jpg)
Experimental result (5/6)
• If the average size of a malicious program is 1 kB, then the respective fraction of malicious traffic for 10, 100, or 1000 signatures is about 0.45%, 4.5%, or 45%.
19
![Page 20: A Pattern-Matching Scheme With High Throughput Performance and Low Memory Requirement](https://reader036.vdocument.in/reader036/viewer/2022062323/56816712550346895ddb7c87/html5/thumbnails/20.jpg)
Experimental result (6/6)
20