Increasing Memory Efficiency of Hash-Based Pattern Matching for High-Speed Networks

• https://ieeexplore.ieee.org/document/9609859

hash functions, network security, pattern matching, high-speed networks

Increasing speed of network links continuously pushes up requirements on the
performance of network security and monitoring systems, including their typical
representative and its core function: an intrusion detection system (IDS) and
pattern matching. To allow the operation of IDS applications like Snort and
Suricata in networks supporting throughput of 100 Gbps or even more, a recently
proposed pre-filtering architecture approximates exact pattern matching using
hash-based matching of short strings that represent a given set of patterns. This
architecture can scale supported throughput by adjusting the number of parallel
hash functions and on-chip memory blocks utilized in the implementation of a hash
table. Since each hash function can address every memory block, scaling
throughput also increases the total capacity of the hash table. Nevertheless, the
original architecture utilizes the available capacity of the hash table
inefficiently. We therefore propose three optimization techniques that either
reduce the amount of information stored in the hash table or increase its
achievable occupancy. Moreover, we also design modifications of the architecture
that enable resource-efficient utilization of all three optimization techniques
together in synergy. Compared to the original pre-filtering architecture,
combined use of the proposed optimizations in the 100 Gbps scenario increases the
achievable capacity for short strings by three orders of magnitude. It also
reduces the utilization of FPGA logic resources to only a third.