efficient fpga-based regular expression pattern matching

European and Mediterranean Conference on Information Systems 2008 ( ) May 25-26 2008, Al Bustan Rotana Hotel, Dubai

EFFICIENT FPGA-BASED REGULAR EXPRESSION PATTERN MATCHING Atta Badii, Adedayo Adetoye, Dhaval Patel, Khurram Hameed Intelligent Media Systems & Services Research Laboratory, Department of Computer Science, School of System Engineering, University of Reading, Reading RG6 6AY, United Kingdom, {atta.badii, a.o.adetoye, d.patel, sis06kh}@reading.ac.uk

Abstract An approach to the automatic generation of efficient Field Programmable Gate Arrays (FPGAs) circuits for the Regular Expression-based (RegEx) Pattern Matching problems is presented. Using a novel design strategy, as proposed, circuits that are highly area-and-time-efficient can be automatically generated for arbitrary sets of regular expressions. This makes the technique suitable for applications that must handle very large sets of patterns at high speed, such as in the network security and intrusion detection application domains. We have combined several existing techniques to optimise our solution for such domains and proposed the way the whole process of dynamic generation of FPGAs for RegEX pattern matching could be automated efficiently.

1. INTRODUCTION Regular Expressions (RegEx) are widely used in computing applications for finding the patterns or strings of interest in a given stream of data or text. These expressions are also used to express the quite complex combinations of different patterns in a very concise manner hence reducing the redundancy. One of the most important applications of RegEx is in the Network Intrusion Detection Systems (NIDS) where the malicious traffic is identified by matching the pre-known set of patterns or strings represented in the form of RegEx. A relatively high proportion of the computational load in NIDS applications can involve regular expression matching which thus consumes a high percentage of computation time particularly as the number of such sets that are being processed at any given time in NIDS can increase to a large number very rapidly. Since network speeds have to keep up with user demands for higher quality services, rising multimedia volumes of traffic and ambient and social computing heralding ubiquitous networked connectivity of internet of people, things and service that will inevitably translate to the need for more and faster traffic throughput, a hardware solution for the pattern matching engine to serve NIDS in such environments would appear to be a compelling requirement. Since the set of patterns to be examined are expected to continue to grow as well as change over time, the underlying computation will need reconfigurable hardware as the basis of the dynamically responsive fast pattern matching that is needed to support NIDS particularly for the higher speed networks. Therefore, Field Programmable Gate Array (FPGA) devices are deployed for this due to their inherent characteristic of re-configurability and parallel processing potential that confer a capability for dynamically re-programmable hardware-based digital logic to support ultra fast computation. Regular expressions offer advantages such as space compacting in that single expressions can in effect represent a large number of strings in a very compact form. Hence


hardware solutions for regular expression pattern matching are being deployed particularly exploiting FPGAs in application domains using regular expressions such as NIDS, email monitoring and datamining where frequent updates to the reference patterns are required. FPGAs are thus the technology of choice for applications such as NIDS which need to dynamically maintain up-to-date specialised hardware engines for high speed and high responsiveness performance. Accordingly there is considerable interest in optimising methods for generating automatic FPGA circuits for a given set of RegEx [e.g. Bispo et al 2006, Cho et al 2002, Iver et al 2002]. The use of the NFA approach was first suggested in [Sidhu & Prasanna 2001]. However their dynamic reconfiguration has not been deployed in [Franklin et al 2002] who also developed an NIDS based on the NFA approach hence their FPGA designs need recompiling each time the rules for matching the RegExp are updated. An example of an approach which exploits dynamic reconfigureability is that reported in [Gokhale et al 2002] who used a “match vector” approach to compare packet content from a data pipeline against entries in a content addressable memory (CAM). The resulting vector locates the entries in the CAM that caused a match. The data packet is appended with the match vector and this is passed to the software for further processing. We have adopted the Non-deterministic Finite Automata approach to building FPGA-based automata [Sidhu & Prasanna 2001] for our research to implement the RegEx pattern matching engine with some additional glue logic. We have investigated and presented here the most important issues to be resolved in this process, including: i) A novel solution for avoiding redundancy in the character set to be matched (the characters may be drawn from a coding scheme such as the ASCII character set) ii) A method for handling any possible data collision in the circuits, iii) An approach for optimising the number of signals and logic cells required for the implementation of such FPGA circuits.

2. REGULAR EXPRESSIONS Regular expressions are widely used in many applications ranging from network intrusion detection to lexical analysis of text documents. This paper is about the generation of efficient FPGA-based pattern matching circuits given a set of regular expressions. We shall start by introducing some notational conventions and describing commonly used regular expression constructors that we shall refer to later on in the paper. We adopt the Perl-Compatible Regular Expression (PCRE) regular expression syntax. We use 1

the typeface a, b, c, for characters used to construct regular expressions and the typeface c, c i , r, r i for regular expression variables where c and c i represent character variables and r and r i are general regular expression variables. For example, a regular expression r is [c 0 , c 1 ,.., c 5 ] and an instance of r is [abcdef] where, c 0 is the character a, c 1 is the character b, and so on. Under the PCRE scheme, the semantics of the expression [abcdef] is to match any of the characters a, b, c,


d, e, or f. For regular expressions of the form [c 0 ,.., c n ], we shall sometimes write [c i ], where i ranges over some index set i= { 0 , . . . , n }, which is assumed to be understood. A special case of the character class constructor, […], is the construction [ˆc 0 ,..,c n ], which matches a single character, except those in the set {c 0 ,..,c n }. In addition to the character class constructor, we also refer to other standard PCRE constructors such as the alternation |, where r 1 |r 2 matches either of r 1 or r 2 and quantifier meta characters such as * (match 0 or more times)? (optionally match but, at most once), and, + (match at least one or more times) all of which have the standard semantics (Friedl 2006). In the paper we assume an 8-bit character encoding scheme and throughout the discussion unless explicitly stated otherwise we assume that c is the alphabet set of all the possible 8-bit characters considered. In particular, c circumscribes the alphabet set over which regular expressions are constructed . For any character c ε C, we write c and c L for the four most significant bits (MSBs) and the four least significant bits (LSBs) respectively. For ease of presentation we assume the ASCII coding scheme when writing regular expressions, although this coding scheme only uses about half of the 256 possible encodable characters space. This is purely to aid presentation, and the technique presented will be applicable to any particular coding scheme. In particular, under the ASCII coding scheme, the character a corresponds to the binary code H

2

point 01100001; hence, a

H

L

= 0110 and a = 0001.

2

2.1 Regular expression matching circuits Regular expressions are a powerful method for generating rules and inspecting payload for NIDS applications including SNORT, BRO and L7 filter [Levandoski et al 2007, SNORT/BRO publications]. Such deep payload inspection systems deploy regular expressions for their rules to take advantage of the efficiency gains conferred through RegEXp expressability and compactness. The key challenge in RegEx matching is to optimally implement an efficient pattern matching circuits based on a set of given regular expressions, to support intrusion detection in a network environment where at any time several thousands of such expressions may need to be matched and where the expressions might change over time. Clearly an FPGA-based architecture is wellsuited to overcoming the challenges posed because of the scale of functional units available in modern hardware and the ability to reprogram the system. We assume that the set of regular expression patterns to be used for exact string matching are indexed. These indices are later used to indicate which of the pattern(s) are matched when there is a match against the text.

2.1.1 Modelling the matching state The basic building block of regular expression matching engines implemented on FPGA are finite automata. A regular expression matcher can be implemented as a finite state machine, whether


Deterministic Finite Automata (DFA) or Nondeterministic Finite Automata (NFA), both of which accept precisely the same strings as the regular expression. The NFA approach has the advantage of being able to match quite complex regular expressions, without the usual stage of needing to convert the NFA into a Deterministic Finite Automata (DFA). We shall use NFAs to model the regular expression matching state. Here our approach is similar to the technique originally proposed in [Sidhu & Prassana 2001]. The basic idea is that a regular expression may be viewed as a sequence of sub-expressions denoting matching points in the pattern to be matched. Each matching point corresponds to a relevant regular expression circuit whose result must be activated when that point is reached in the matching process. Sequential flip flops are used to keep track of the current matching point in parallel 3 as it ripples through the flip flop sequence whose outputs are combined with AND gates to the current matching circuit to “activate” the next matching stage. It must be noted that there may be more than one active matching point at a time. This setup is illustrated in Figure 1 for the expression r 1 r 2 · · · r n , where r i is the circuit for i matching point.

th

Figure 1 Modelling regular expression machine state

3. FPGA DESIGN In this section, we present the design strategy for efficient and optimal implementation regular expression based pattern matching circuits using FPGA technology. This can be summarised as follows. The basic idea is to exploit syntactic and structural redundancies in the set of regular expressions being encoded and also semantic redundancy prescribed by meta-characters in regular expressions. The alphabet space over which regular expression characters are defined is usually very small relative to the set of possible expressions that can be constructed or that will be needed in practice. For example, suppose we have an alphabet space S = {a, b}. While there are infinitely many regular expressions that can be constructed over S, the fact that there are just two alphabet elements means that we may need only two comparators (one for each alphabet element), which are shared by all circuits implementing different regular expressions. An important consideration is that in order to minimise hardware requirements we need to exploit the semantic redundancies introduced by syntactic constructs *, ?, +, and […]. For example, in the expression a*b, the character a may be repeated any number of times; thus introducing a


semantic redundancy, which is to be exploited in the hardware design. A key optimisation opportunity in taking advantage of the semantics of the […] constructor is the observation that the constructor encodes a set, whose operational interpretation is to test a given character for membership of that set. Hence, if we can implement efficient but minimal comparators for sets of characters, then we may exploit this semantic property to significantly reduce the hardware space and processing time requirements; i.e. the route the realisation of benefits conferred by semantic redundancies is through embedding efficient comparator design in the computational logic architecture. 3.1. Encoding set of characters efficiently The basic logic construction that we use as a comparator is the same as that used in [Sidhu & Prassana 2001] as shown in Figure 2. It consists of two 16-to-1 bit multiplexers, which very efficiently match a single 8-bit character. The schematic of a comparator is shown in Figure 3(a). However, we have deployed a novel technique whereby a single comparator can be used to encode a set of characters, as opposed to one character as proposed in [Sidhu & Prassana 2001]. We state that a comparator encodes a set of characters if it matches a character whenever, and only if, that character is in that set. In other words, the comparator which encodes a set S ⊆ c implements the set membership relation ∈ over S. The technique results in a very significant utilisation of hardware without altering the intrinsic character-matching efficiency of the comparator. In particular, the comparator can efficiently encode up to the theoretical limit of | c | = 256 5

characters of C .

Figure 2 an efficient comparator showing input line values for the regular expression (a|b) We have assigned names for the comparator inputs for ease of reference. Referring to Figure 2, above, it is clear that the comparator implements a look-up table with the two 16-to-1 bit multiplexers and has altogether 32 control inputs labelled a

l 0....l31 and an 8-bit selector labelled as

s 0..... s 7 . The control inputs encode the set of characters against which a character may be


matched. The incoming 8-bit character to be matched is assigned in the same order as the selector lines with the LSB on line s0 and the MSB on a line control lines is presented in section 3.1.1.

s7

. The detail of how to assign values to the

To illustrate the chip area efficiency that can be achieved in this way by encoding a set of characters in a comparator, suppose that in an e-mail related application we wish to check that a given character is not @ or any of the ASCII characters between A and O inclusive. This requirement may be captured by the regular expression [ˆ@A-O] which matches any character in the set S = C\ {@, A, B, . . . ,O}. Using the technique presented in section 3.1.2. We discover that the set S, which has a cardinality of 240, can be implemented on a single comparator with all

l

input bit except 19 set to 1. This is a very significant save in area and complexity of circuitry as opposed to a scenario (a), where the same regular expression is natively implemented using a comparator for each character in S combined together with OR gates; or even in the scenario (b), where the characters of the set {@, A, B, . . . ,O} are loaded in a comparator each and their OR combination inverted. 3.1.1 Assigning control line values We now show how to assign the control lines in a comparator encoding a set of characters. Let dec (·) be a function which converts a binary number to its decimal value. Given a set S ⊆ c of characters to be encoded, we define a function E that returns a set of control line indices that must be enabled in order to match any character in the set s as

E ( S )∀{li , l j | ∃c ∈ S , i = dec(c L ), j = 16 + dec(c H )} Applying (1) to the set S = {a, b}, since the ASCII code for a and b respectively are 01100001 H

H

L

L

and 01100010, we have dec (a ) = dec (b ) = 6 and dec (a ) = 1 and dec (a ) = 2. Hence

E ( S ) = {l1 , l 2 ,.., l 22 ) as demonstrated by the enabled control lines in Figure 2.

The comparator encoding shown in Figure 2 matches precisely only a or b. However, for

arbitrary sets S ⊆ C enabling the lines E (S ) in a single comparator does not preclude that comparator from matching characters not in S a situation that we refer to as code collision in the comparator. Thus, in order to encode an arbitrary set S we must encode only collision-free subsets of S in comparators whose results are then combined in an OR formation. We start by presenting the property of collision-free subsets of an arbitrary subset of C , and then present an efficient technique for computing one. 3.1.2 Deriving collision-free subsets Code collision results in a comparator matching more than the intended set of characters. To illustrate this problem, consider the regular expression [aR], whose semantics is to match any character in the set S = {a, R}. Using equation (1), if we enabled the lines

E ( S ) = {l1 , l 2 ,.., l 22 ) in a comparator, that comparator will match not only characters a and R but,

also b and Q. This is because the character code of b can be derived by pairing a and similarly, Q

H L has the code R a . This problem is easily avoided by using only collision-free subsets of S in


each comparator which, in this example, is the singleton subsets of {a, R}. We now present the detail in the more general case. The general problem is that given a set S ⊆ C , we want to find the minimal number of ' comparators such that a character c is matched if and only if C ∈ S . Any subset S ⊆ S is ' collision-free (with respect to S ), if for any pair of characters C1 , C 2 ∈ S we also have that

H

L

H

L

C1 C 2 , C 2 C1 ∈ S . This means that by swapping the four LSBs of any pair of characters in S ' , no new character can be derived (and thus matched) that is not in S . The set S ' can thus be

loaded into a comparator with the guaranteed property that the comparator matches only characters in S . The next step is to ensure that we cover the set S by using enough collision-free subsets so that all characters in S are matched. This problem can be constructed as the standard set covering problem [Balas & Padberg 1976] as follows. Define the set of all collision-free subsets of S as

Fs ∀{S ' ⊆ S | S | c1 , c 2 ∈ S ' Find the minimum-size subset

S' ∈F

H

L

H

L

c1 c 2 , c 2 c1 ∈ S }....( 2)

F ⊆ FS

such that

= S .......(3)

3.1.3 Finding minimal systems of comparators This optimisation problem is NP-hard [Garey & Johnson 1979], but the greedy algorithm below can be implemented to run in time polynomial in | S | and | fS |.

Input: Set S and fS . Output: A minimal collision-free family, X, of subsets covering S .

X ←φ While S ≠ φ do Y ∈ fs Select an which maximise | Y ∩ S | S ← S /Y X ← X ∪ {S ' }

End Algorithm 1: Greedy set cover algorithm

European and Mediterranean Conference on Information Systems 2008 ( ) May 25-26 2008, Al Bustan Rotana Hotel, Dubai 6 c c ∈ C , c1 Rs c 2 ifc1 , c 2 ∈ S Define an equivalence relation , R s over S such that for any 1, 2 and

L

H

H

L

{c3 | ∃S , c3 = c1 } = {c 4 | ∃c 4 ∈ S , c 4

H

H

= c2 }

...(4)

It is easy to see that RS is an equivalence relation over S, and in general a partial equivalence relation over C. Intuitively, two elements c1 and c2 of S are related by RS if by replacing the four LSBs of c1 with those of c2, or vice versa, no new character can be derived that is not in S. That H L H L cRc is C1 C 2 , C 2 C1 ∈ S . if 1 s 2

The import of this property is that if a comparator is encoded with only characters that are related by RS then no character can be incorrectly matched. Thus this property guarantees the semantic correctness of the matching unit. Accordingly given an arbitrary set S of characters to be matched, we can derive a matching circuit that matches only the elements of S by partitioning it via R S and encoding each (collision-free) partition in a comparator. These collision-free partitions of S are given by

c − free( s )∀{[c]Rs | c ∈ S }.........(5) [c]R

s stands for the equivalence class of c under the equivalence As usual, the standard notation relation Rs. By encoding the sets in c-free ( S ) in a comparator each, with the comparator outputs ORed together, we achieve an efficient circuit matching precisely the elements of S . However, this is not necessarily the smallest system of comparators that can correctly encode S and by taking advantage of the fact that the comparators are combined together with OR logic we may be able to further reduce the number of comparators used. The analysis of this optimisation however falls outside the scope of this paper. We now show how to efficiently compute c-free ( S ).

By exploiting the reflexive and transitive closure property of equivalence relations, we can efficiently compute the sets c-free ( S ) of the equivalence classes of Rs. In particular, let

I = {c H | c ∈ S } be an index set of the H-bits of characters in S ; reflexivity of Rs. means that S i ∀{c ∈ S | c H = i} i∈I

for any

, all elements of the set L

belong to the same equivalence class of

Rs. Furthermore, if we define S i ∀{c | c ∈ S i } for any i ∈ I the transitivity of Rs. means that L L Si = S j Si ∪ S j i, j ∈ I L

for any pair such that then all elements of the set also belong to the Rs . same equivalence class of This gives us a straightforward algorithm to compute Rs. for any set S as shown in algorithm 2. Input: Set: S of characters. Output: Collision-free subsets of ( S j ) j∈J . /* Partition S to subsets, indexed by the set I of H - Bits. */

I ←Φ

For all c ∈ S do


if c H ∉ I then

S cH ← {c}

I ← I ∪ {c H } else

S cH ← S cH ∪ {c}

end end L

For all i ∈ I , define S i = {c L | c ∈ S i } /* Merge Partition as necessary and create a new index set J */

J ←φ

for all i ∈ I do L

L

if ∃j ∈ J and S i = S j then

S j ← Si ∪ S j else

J ← j ∪ {i}

end end Algorithm 2: computing collision free subsets 3.1.4

Finding minimal systems of comparators

For an arbitrary set S of characters to be matched, the process, as described above, whereby we encode the elements of c-free( S ) in a comparator each, does not necessarily result in a system of comparators with the minimum number of comparator count. The problem of minimising the number of comparators required to encode the set S can be reduced to the set covering problem. In particular, since the comparators are combined with OR gates, it does not matter which or how many comparators match a character as long as the semantics of the comparator system covers S . We can formalise the problem as follows. H

H

H

H

Find the smallest S ⊂ f∀{ X ⊆ S | ∀c1 , c 2 ∈ X : c1 c 2 , c 2 c1 ∈ S }

S=

X.

X ∈S Such that This problem is NP-Hard, but the following greedy algorithm has been shown to compute such an S in O (n)....

3.1.5 Formal semantics We define the semantics of a comparator C, written [[C]] as the set of characters encoded by that comparator. Hence

[[C ]]∆{c ∈ C | c

is matched by the comparator C}. Given the set of input

l .....l

0 lines enabled in a comparator C, it is straightforward to compute [[C]]. In particular, let 31 be the input line values of comparator C; then, C matches a character c ∈ C if and

i = dec(c H ) and J = dec(c L ) , and li = l j = 1 .


We also refer to a system of comparators made up of n comparators in parallel and whose outputs are OR combined as shown in Figure 3(b). Let

Ci

th (C i ) i∈I , be the i comparator in the system it

is easy to see that this system encodes the set of characters

i∈I

[[C i ]].

We can thus view a

(C i ) i∈I ,

system of comparators, , as if it were a single comparator encoding the set This leads us to the following definition.

i∈I

[[C i ]].

Definition 3.1: A comparator C soundly encodes a set S if and only if S = [[C ]] and extension, a system

(C i ) i∈I

of comparators soundly encodes S if and only if S =

i∈I

by

[[C i ]].

We now show that given an arbitrary set S ⊆ C of characters, the collision-free partitioning of S computes a system of comparators which soundly encodes S . Lemma 3.2: The partitioning of S by Rs. produces a semantically sound system of comparators.

a. Comparator schematics

b. System of n comparator figure 3: System of n comparator 3.2 Implementing Regular Expressions We shall consider standard regular expressions of the form given by the following BNF representation:

r ::= c | [c1 .....c n ] | (r1 | r2 ) | r ? | r * | r + | r{n} | r{n, m}


c, c ∈ C

i Where, and n, m ∈ {0,1,...} . Sets of characters are encoded via collision-free partitioning into comparators as presented above. The matching state of the regular expression is implemented by an NFA.

4

CONCLUSION AND FUTURE WORK

We have presented a framework for generating efficient FPGA circuitry for regular-expressionbased pattern matching problems. A novel solution has been described that enable efficiency gains through avoiding redundancy in the character set to be matched. Further a method has been illustrated for handling any possible data collision in the circuits. This has been complemented by an approach, as set out, for optimising the number of signals and logic cells required for the implementation of such FPGA circuits. The current work has focused on the local optimisation of circuits implementing each regular expression in the database of expressions to be implemented. Future work will focus on semantically sound but more aggressive optimisation that takes into account the global set of regular expressions. This will include a highly optimised pipelined architecture in order to improve space complexity and throughput.

5. ACKNOWLEDGMENTS This work has been supported by the European Community Research Programme under the FastMatch project which is partially supported by the European Community under the Information Society Technologies (IST) priority of the 6th Framework Programme for R&D (IST- IST-27095, www.fastmatch.org)

6

REFERENCES

E. Balas and M. Padberg 1976, ‘Set partitioning: A survey. SIAM Review’, 18(4):710– 760. Joao Bispo, Yiannis Sourdis, Jo˜ao M. P. Cardoso, and Stamatis Vassiliadis, “Regular Expression Matching for Reconfigurable Packet Inspection,” in IEEE International Conference on Field Programmable Technology (FPT’06), Dec. 13-15, 2006, Bangkok Thailand, IEEE Computer Society Press, pp. 119-126. BRO IDS homepage, \http://bro-ids.org/Overview.html Y.H.Cho, S.Navab, W.H.Mangione-Smith, “Specialized Hardware for Deep Network Packet Filtering”, In proceedings of FPL2002: 12th International Conference on Field Programmable Logic and Applications, Montpellier, France September 2-4, 2002. Thomas H. Cormen, Charles E. Leiserson, and Ronald R. Rivest, 1990. ‘Introduction to Algorithms’ MIT Press, Cambridge,Massachusetts. Jeffrey Friedl 2006, ‘Mastering Regular Expressions’,O’Reilly Media Inc. R.Franklin, D.Carver and B.L.Hutchings. “Assisting Network Intrusion Detection with Reconfigurable Hardware”, Proceedings: IEEE Symposium and Field-Programmable Custom Computing Machines FCCM ’02, April 2002.


M. R. Garey and D. S. Johnson, 1979, ‘Computers and Intractability: A Guide to the Theory of NPCompleteness’ W. H. Freeman and Company, New York, New York. M.Gokhale, D.Dubois, A.Dubois, M.Boorman, S.Poole and V.Hogsett. Granidt: Towards Gigabit Rate Network Intrusion Detection Technology. FPL 2002, Lecture Notes in Computer Science 2438, pp. 4004-413, Springer-Verlag 2002. S.Iyer, R.R.Kompella, A.Shelat, PMC-Sierra Inc. “ClassiPi: An Archictecture for fast and flexible Packet Classification.”. IEEE Network March/April 2001. Justin Levandoski, Ethan Sommer and Matthew Strait, Application Layer Packet Classifier for Linux," http://l7-_lter.sourceforge.net/ Reetinder Sidhu and Viktor K. Prasanna, 2001. ‘Fast Regular Expression Matching using FPGAs. In FCCM ’01:’ Proceedings of the 9th Annual IEEE Symposiumon Field-Programmable Custom Computing Machines, pages 227–238, Washington, DC,USA,. IEEE Computer Society. SNORT IDS homepage, \http://snort.org"