[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Springer Nature Link
Log in

An Efficient GPU-Based Multiple Pattern Matching Algorithm for Packet Filtering

  • Published:
Journal of Signal Processing Systems Aims and scope Submit manuscript

Abstract

In the past few decades, a variety of the malicious attacks on the Internet were discovered. Most of these attacks were through packets with different network protocols. Due to the very fast spread of these attacks, it was difficult for people to copy with them immediately. Consequently, packet filtering is a critical method to prevent these attacks. However, most packet filtering software solutions cannot satisfy the demands of the contemporary network bandwidth. In this paper, we propose a GPU-based multiple-pattern matching algorithm for filtering malicious packets by using a Bloom filter to inspect the packet payload by leveraging the high parallelism computing power of GPU. In the experiments, we compare the proposed algorithm with different GPU-implemented technologies to sequence the Bloom filter algorithm on different platforms. The experimental results demonstrate that the proposed algorithm significantly enhances performance over sequential algorithms.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10

Similar content being viewed by others

References

  1. Li, J., Qiu, M., Ming, Z., Quan, G., Qin, X., & Gu, Z. (2012). Online optimization for scheduling preemptable tasks on IaaS cloud systems. Journal of Parallel and Distributed Computing, 72(5), 666–677.

    Article  Google Scholar 

  2. Niu, J., Gao, Y., Qiu, M., & Ming, Z. (2012). Selecting proper wireless network interfaces for user experience enhancement with guaranteed probability. Journal of Parallel and Distributed Computing, 72(12), 1565–1575.

    Article  Google Scholar 

  3. Roesch, M. (1999). Snort - lightweight intrusion detection for networks. The 13th USENIX Conference on System Administration, pp. 229–238.

  4. Cabrera, J. B. D., Gosar, J., Lee, W., and Mehra, R. K. (2004). On the statistical distribution of processing times in network intrusion detection. Proc. IEEE Conf. on Decision and Control, Dec., pp. 75–80.

  5. Kim, J. H., Jang, W. D., Sim, J. Y., & Kim, C.-S. (2013). Optimized contrast enhancement for real-time image and video dehazing. Journal of Visual Communication and Image Representation, 24, 410–425.

  6. Knuth, D. E., Morris, J., & Pratt, V. (1977). Fast pattern matching in strings. SIAM Journal on Computing, 6, 127–146.

    Article  MathSciNet  MATH  Google Scholar 

  7. Boyer, R. S., & Moore, J. S. (1977). A fast string searching algorithm. Communications of the ACM, 20, 762–772.

    Article  MATH  Google Scholar 

  8. Aho, A. V., & Corasick, M. J. (1975). Efficient string matching: an aid to bibliographic search. Communications of the ACM, 18, 333–340.

    Article  MathSciNet  MATH  Google Scholar 

  9. Commentz-Walter, B. (1979). A string matching algorithm fast on the average. Proc. Intl. Colloquium on Automata, Languages and Programming, pp. 118–131.

  10. Wu, S. and Manber, U. (1994). A fast algorithm for multi-pattern searching. Technical Report TR-94-17.

  11. Coit, C., Staniford, S. and McAlerney, J. (2001). Towards faster string matching for intrusion detection or exceeding the speed of snort. Proc. DARPA Information Survivability Conference & Exposition II, pp. 367–373.

  12. Fisk, M., and Varghese, G. (2002). Applying fast string matching to intrusion detection. Technical Report In preparation, successor to UCSD TR CS2001-0670.

  13. Tuck, N., Sherwood, T., Calder, B., and Varghese, G. (2004). Deterministic memory-efficient string matching algorithms for intrusion detection. Proc. IEEE Infocom Conf., pp. 333–340.

  14. Bremler-Barr, A., David, S. T., Harchol, Y., and Hay, D. (2015). Leveraging traffic repetitions for high-speed deep packet inspection. IEEE Conference on Computer Communications, pp. 2578–2586.

  15. Jiang, L., Dai, Q., Tang, Q., Tan, J., and Fang, B. (2014). A fast regular expressions matching algorithm for NIDS. IEEE Symposium on Computers and Communication, pp. 1–7.

  16. Sidhu, R., and Prasanna, V. (2001). Fast regular expression matching using FPGAs. Proc. IEEE Symp. Field-Programmable Custom Computing Machines, pp. 227–238.

  17. Baker, Z. K. and Prasanna, V. K. (2004). Time and area efficient pattern matching on FPGAs. Proc. ACM/SIGDA Intl. Symp. Field Programmable Gate Arrays, pp. 223–232.

  18. Attig, M. and Lockwood, J. (2005). A framework for rule processing in reconfigurable network systems. Proc. Annual IEEE Symp. Field Programmable Custom Computing Machines, pp. 225–234.

  19. Bloom, B. H. (1970). Space/Time trade-offs in hash coding with allowable errors. Communications of the ACM, 13, 422–426.

    Article  MATH  Google Scholar 

  20. Dharmapurikar, S., Krishnamurthy, P., Sproull, T., and Lockwood, J. W. (2003). Deep packet inspection using parallel Bloom filters. In: IEEE Symposium on High Performance Interconnects. (HotI), Stanford, CA.

  21. Dharmapurikar, S., and Lockwood, J. W. (2006). Fast and scalable pattern matching for network intrusion detection systems. IEEE Journal on Selected Areas in Communications, pp. 1781–1972.

  22. Al-Dalky, R., Salah, K., Otrok, H., and Al-Qutayri, M. (2014). Accelerating snort NIDS using NetFPGA-based Bloom filter. International Wireless Communications and Mobile Computing Conference, pp. 869–874.

  23. Jacob, N., and Brodley, C. (2006). Offloading ids computation to the gpu. In: Computer Security Applications Conference, 22nd Annual, pp. 371–380.

  24. Vasiliadis, G., Antonatos, S., Michalis, P., Markatos, E. P., & Ioannidis, S. (2008). Gnort: high performance network intrusion detection using graphics processors. Lecture Notes in Computer Science, 5230, 116–134.

    Article  Google Scholar 

  25. Lin, C. H., Tsai, S. Y., Liu, C. H., Chang, S. C., and Shyu, J. M. (2010). Accelerating string matching using multi-threaded algorithm on GPU. IEEE Global Telecommunications Conference, pp. 1–5.

  26. Hung, C. L., Lin, C. Y., & Wang, H. H. (2014). An efficient parallel-network packet pattern-matching approach using GPUs. Journal of Systems Architecture, 60, 431–439.

    Article  Google Scholar 

  27. Nvidia. (2011). CUDA C best practices guide. version 4. Online.

  28. Cormen, T. H., Leiserson, C. E., Rivest, R. L., and Stein, C. (1990). An introduction to algorithms. McGraw-Hill Book Publication, 1st (ed.).

  29. Larson, P. A. (1978). Dynamic hashing. BIT, 18, 184–201.

    Article  MathSciNet  MATH  Google Scholar 

  30. Hsu, C. H., and Wang, S. D. (2013). An embedded NIDS with multi-core aware packet capture. IEEE 16th International Conference on Computational Science and Engineering, pp. 778–785.

  31. Chen, X., Wu, Y., Xu, L., Xue, Y., and Li, J. (2009). Para-Snort: A multi-thread snort on multi-core IA platform. In: Proceedings of the Parallel and Distributed Computing and Systems.

  32. Jiang, H., Zhang, G., Xie, G., Salamatian, K., and Mathy, L. (2013). Scalable high-performance parallel design for network intrusion detection systems on many-core processors. ACM/IEEE Symposium on Architectures for Networking and Communications Systems, pp. 137–146.

  33. Li, J., Ming, Z., Qiu, M., Quan, G., Qin, X., & Chen, T. (2011). Resource allocation robustness in multi-core embedded systems with inaccurate information. Journal of Systems Architecture, 57(9), 840–849.

    Article  Google Scholar 

Download references

Acknowledgments

This research was partially supported by the Ministry of Science and Technology under Grants MOST-103-2221-E-126-013.

Author information

Authors and Affiliations

  1. Department of Computer Science and Communication Engineering, Providence University, Taichung, Taiwan

    Che-Lun Hung

  2. Department of Computer Science and Information Engineering, Chang Gung University, Taoyuan, Taiwan

    Chun-Yuan Lin

  3. Department of Computer Science and Information Management, Providence University, Taichung, Taiwan

    Po-Chang Wu

Authors
  1. Che-Lun Hung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chun-Yuan Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Po-Chang Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chun-Yuan Lin.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hung, CL., Lin, CY. & Wu, PC. An Efficient GPU-Based Multiple Pattern Matching Algorithm for Packet Filtering. J Sign Process Syst 86, 347–358 (2017). https://doi.org/10.1007/s11265-016-1139-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11265-016-1139-0

Keywords

Search

Navigation