Regular expression matching is the core function of various network security applications such as network intrusion detection systems. With the network bandwidth increases, it is a great challenge to implement regular expression matching for line rate packet processing. To this end, a novel scheme named XAV targeting high-performance regular expression matching is proposed in this paper. XAV first employs anchor DFA to tackle the state explosion problem of DFA. Then based on anchor DFA, two techniques including pre-filtering and regex decomposition are utilized to improve the average time complexity. Through implementing XAV with an FPGA-CPU architecture, comprehensive experiments show that a high matching throughput of up to 75 Gbps can be achieved for the large and complex Snort rule-set. Compared to state-of-the-art software schemes, XAV achieves two orders of magnitude of performance improvement. While compared to state-of-the-art FPGA-based schemes, XAV achieves more than 2.5x performance improvement with the same hardware resource consumption.
翻译:正则表达式匹配是网络入侵检测系统等多种网络安全应用的核心功能。随着网络带宽的增长,实现线速数据包处理的正则表达式匹配面临巨大挑战。为此,本文提出一种名为XAV的新型高性能正则表达式匹配方案。XAV首先采用锚定DFA(Anchor DFA)解决DFA的状态爆炸问题,进而基于锚定DFA,利用预过滤和正则表达式分解两种技术优化平均时间复杂度。通过基于FPGA-CPU架构实现XAV,综合实验表明,针对大规模且复杂的Snort规则集,其匹配吞吐量高达75 Gbps。与现有软件方案相比,XAV实现两个数量级的性能提升;而与基于FPGA的现有方案相比,在相同硬件资源消耗下,XAV的性能提升超过2.5倍。