Massively Parallel Cuckoo Pattern
Matching Applied For NIDS/NIPS

Author: Tran Ngoc Thinh, Surin Kittitornkun

Publisher: Electronic Design, Test and Application, 2010. DELTA '10.
Fifth IEEE International Symposium on

Presenter: Yuen-Shuo Li

Date: 2013/04/09
1
Background
Nowadays, illegal intrusion is one of the most serious threats to network security.
Network Intrusion Detection/Prevention Systems (NIDS/NIPSs) are designed to
examine not only the headers but also the payload of the packets to match and
identify intrusions.
However, checking thousands of patterns to see whether it matches becomes a
computationally intensive task as the highest network speed increases to several
gigabits per second (Gbps).
2
Introduction
In this paper, we implement a massively parallel architecture of variable-length
pattern matching best suited for hardware, naming Cuckoo-based Pattern
Matching (CPM).
CPM is the application of a recently developed algorithm called Cuckoo Hashing
[12] for pattern matching in NIDS/NIPS.
With the parallel lookup, our improved system is more efficient in terms of
performance as applied on hardware. Unlike most previous FPGA-based systems,
CPM is also very flexible in terms of update the static pattern set without
reconfiguration.
3
Hashing with Chaining
The main idea in hashing based dictionaries is to
let the hash functions decide where to store each
item.
However, it is highly likely that there will be
collisions. An obvious idea is to make a pointer
from position a in the array to a data structure
holding the set.
4
Cuckoo Hashing
Cuckoo hashing is a scheme for resolving hash collisions of values of hash
functions in a table, with worst-case constant lookup time.
The name derives from the behavior of some species of cuckoo, where the
cuckoo chick pushes the other eggs or young out of the nest when it hatches;
analogously, inserting a new key into a cuckoo hashing table may push an older
key to a different location in the table.
5
Cuckoo Hashing(Cont.)
Instead of requiring that x should be stored at
position h1(x), we give two alternatives: Position
h1(x) and position h2(x).
When inserting a new element x it may of course
still happen that there is no space. This is resolved
by imitating the nesting habits of the European
cuckoo: Throw out the current occupant y of
position h1(x) to make room!
6
Cuckoo Hashing(Cont.)
7
FPGA-based Cuckoo Hasing
single-port SRAM
double-port SRAM
8
Cuckoo Hasing - lookup
9
Cuckoo Hasing - insert
10
CPM - Architecture
On Dec 15, 2006, there were 4,748 unique patterns which contain 64,873
characters in Snorts rule set. Fig.5 shows the distribution of the pattern lengths
in Snort database of from 1 up to 109 characters. We can see that 65% of total
numbers of patterns are up to 16 characters.
11
CPM – Architecture(Cont.)
Therefore, we build the Cuckoo Hashing modules for short patterns which are
less than or equal 16 characters according to this fact.
For longer patterns, we can break them into shorter segments so that we can
insert those segments to the Cuckoo modules of short patterns.
input: ABCDEFGHIJKLMNOP
ABCDEFGHIJKLMNOP
...
ABCD
ABC
AB
A
12
CPM – Architecture(Cont.)
Shift-Add-XOR(SAX) utilizes only the simple and fast operations of shift, XOR and
add.
𝐻𝑖 = 𝐻𝑖−1 ⊕ (𝑆𝐿 (𝐻𝑖−1 ) + 𝑆𝑅 (𝐻𝑖−1 )+ 𝐶𝑖
SL and SR: shift left and right
Ci :the character ith of string
Hi : an intermediate hash value after examination of i characters.
13
CPM – Architecture(Cont.)
input: ABCDEFGHIJKLMNOP
ABCDEFGHIJKLMNOP
...
ABCD
ABC
AB
A
14
CPM – Architecture(Cont.)
15
Performance
16
Performance(Cont.)
17