Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

XAV: A High-Performance Regular Expression Matching Engine for Packet Processing

Jincheng Zhong, Shuhui Chen, Chuan Yu

TL;DR

XAV tackles the challenge of high-speed regex matching for line-rate packet processing by introducing anchor DFA to mitigate DFA state explosion, augmented with a fast xor-filter pre-filter and a regex decomposition step to bound per-thread work. The three-stage pipeline (xor filter, anchor DFA, verification) is implemented on an FPGA-CPU architecture, with the xor filter and anchor DFA on FPGA and the verification engine on CPU. Key contributions include the anchor DFA concept, regex decomposition into lsRE/lusRE, xor-filter construction, and a practical FPGA-CPU implementation with shared state-transition tables and substantial memory compression, enabling up to 75 Gbps throughput on large Snort rule-sets and major improvements over software and prior FPGA-based REM schemes. The results demonstrate strong spatial efficiency, low timing overhead, and significant CPU offloading, offering a scalable path for real-time regex matching in security appliances.

Abstract

Regular expression matching is the core function of various network security applications such as network intrusion detection systems. With the network bandwidth increases, it is a great challenge to implement regular expression matching for line rate packet processing. To this end, a novel scheme named XAV targeting high-performance regular expression matching is proposed in this paper. XAV first employs anchor DFA to tackle the state explosion problem of DFA. Then based on anchor DFA, two techniques including pre-filtering and regex decomposition are utilized to improve the average time complexity. Through implementing XAV with an FPGA-CPU architecture, comprehensive experiments show that a high matching throughput of up to 75 Gbps can be achieved for the large and complex Snort rule-set. Compared to state-of-the-art software schemes, XAV achieves two orders of magnitude of performance improvement. While compared to state-of-the-art FPGA-based schemes, XAV achieves more than 2.5x performance improvement with the same hardware resource consumption.

XAV: A High-Performance Regular Expression Matching Engine for Packet Processing

TL;DR

XAV tackles the challenge of high-speed regex matching for line-rate packet processing by introducing anchor DFA to mitigate DFA state explosion, augmented with a fast xor-filter pre-filter and a regex decomposition step to bound per-thread work. The three-stage pipeline (xor filter, anchor DFA, verification) is implemented on an FPGA-CPU architecture, with the xor filter and anchor DFA on FPGA and the verification engine on CPU. Key contributions include the anchor DFA concept, regex decomposition into lsRE/lusRE, xor-filter construction, and a practical FPGA-CPU implementation with shared state-transition tables and substantial memory compression, enabling up to 75 Gbps throughput on large Snort rule-sets and major improvements over software and prior FPGA-based REM schemes. The results demonstrate strong spatial efficiency, low timing overhead, and significant CPU offloading, offering a scalable path for real-time regex matching in security appliances.

Abstract

Regular expression matching is the core function of various network security applications such as network intrusion detection systems. With the network bandwidth increases, it is a great challenge to implement regular expression matching for line rate packet processing. To this end, a novel scheme named XAV targeting high-performance regular expression matching is proposed in this paper. XAV first employs anchor DFA to tackle the state explosion problem of DFA. Then based on anchor DFA, two techniques including pre-filtering and regex decomposition are utilized to improve the average time complexity. Through implementing XAV with an FPGA-CPU architecture, comprehensive experiments show that a high matching throughput of up to 75 Gbps can be achieved for the large and complex Snort rule-set. Compared to state-of-the-art software schemes, XAV achieves two orders of magnitude of performance improvement. While compared to state-of-the-art FPGA-based schemes, XAV achieves more than 2.5x performance improvement with the same hardware resource consumption.
Paper Structure (42 sections, 12 figures, 7 tables)

This paper contains 42 sections, 12 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related works
  3. Software REM schemes
  4. Hardware REM schemes
  5. FPGA-based schemes
  6. TCAM-based schemes
  7. Memory-centric architecture schemes
  8. Motivations for XAV
  9. Anchor DFA
  10. Optimizations to Anchor DFA
  11. Pre-filter
  12. regex decomposition
  13. XAV
  14. Compilation of XAV
  15. Regex decomposition
  16. ...and 27 more sections

Figures (12)

  • Figure 1: Example of Anchor DFA matching procedure.
  • Figure 2: The architecture of XAV.
  • Figure 3: The compilation procedure of XAV.
  • Figure 4: The component tree for $RE_3$.
  • Figure 5: FPGA-CPU architecture for XAV implementation.
  • ...and 7 more figures

Theorems & Definitions (7)

  • Definition 1: anchor DFA
  • Definition 2: matching thread
  • Definition 3: access depth
  • Definition 4: long regex component
  • Definition 5: lsRE
  • Definition 6: lusRE
  • Definition 7: ldRE