Highly Space Efficient Counters for Perl Compatible Regular Expressions in FPGAs

  • Chia-Tien Dan Lo
  • Yi-Gang Tai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4943)


Signature based network intrusion detection systems (NIDS) rely on an underlying string matching engine that inspects each network packet against a known malicious pattern database. Traditional static pattern descriptions may not efficiently represent sophisticated attack signatures. Recently, most NIDSs have adopted regular expressions such as Perl compatible regular expressions (PCREs) to describe an attack signature, especially for polymorphic worms. PCRE is a superset of traditional regular expression, in which no counters are involved. However, this overloads the performance of software-based NIDSs, causing a big portion of their execution time to be dedicated to pattern matching. Over the past decade, hardware acceleration for the pattern matching has been studied extensively and a marginal performance has been achieved. Among hardware approaches, FPGA-based acceleration engines provide great flexibility because new signatures can be compiled and programmed into their reconfigurable architecture. As more and more malicious signatures are discovered, it becomes harder to map a complete set of malicious signatures specified in PCREs to an FPGA chip. Even worse is that the counters used in PCREs typically take a great deal of hardware resources. Therefore, we propose a space efficient SelectRAM counter for PCREs that involve counting. The design takes advantage of components that consist of a configurable logic block, and thus optimizes space usage. A set of PCRE blocks has been built in hardware to implement PCREs used in Snort/Bro. Experimental results show that the proposed sheme outperforms existing designs by at least 5-fold. Performance results are reported in this paper.


Intrusion Detection Regular Expression Hardware Resource Half Adder Network Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Snort: Snort intrusion detection system (2007),
  2. 2.
    Bro: Intrusion detection system (2007),
  3. 3.
    PCRE: Perl compatible regular expressions (2007),
  4. 4.
    Lo, C.T.D., Tai, Y.G., Psarris, K., Hwang, W.J.: Super fast hardware string matching. In: Proc. of the 2006 IEEE International Conference on Field Programmable Technology, Bangkok, Thailand (December 2006)Google Scholar
  5. 5.
    Roan, H.C., Hwang, W.J., Lo, C.T.D.: Shift-or circuit for efficient network intrusion detection pattern matching. In: Proc. of the 16th International Conference on Field Programmable Logic and Applications (FPL 2006), Madrid, SPAIN (August 2006), pp. 785–790 (2006)Google Scholar
  6. 6.
    Aho, A., Sethi, R., Ullman, J.: Compilers - Principles, Techniques, and Tools, pp. 117–123 (1988)Google Scholar
  7. 7.
    Floyd, R., Ullman, J.: The compilation of regular expressions into integrated circuits. Journal of the ACM (JACM) 29, 603–622 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    McNaughton, R., Yamada, H.: Regular expressions and state graphs for automata. IEEE Transactions on Electronic Computers 9, 39–47 (1960)CrossRefGoogle Scholar
  9. 9.
    Hutchings, B.L., Franklin, R., Carver, D.: Assisting network intrusion detection with reconfigurable hardware. In: Porc. of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM 2002), Napa, CA (April 2002), pp. 111–120 (2002)Google Scholar
  10. 10.
    Clark, C., Schimmel, D.: Scalable parallel pattern-matching on high-speed networks. In: Proc. of IEEE Symposium on Field-Programmable Custom Computing Machines (2004)Google Scholar
  11. 11.
    Sutton, P.: Partial character decoding for improved regular expression matching in fpgas. In: Proceedings of IEEE International Conference on Field-Programmable Technology (FPT), pp. 25–32 (2004)Google Scholar
  12. 12.
    Lin, C.H., Huang, C.T., Jiang, C.P., Chang, S.C.: Optimization of regular expression pattern matching circuits on fpga. In: DATE 2006: Proceedings of the Conference on Design, Automation and Test in Europe, pp. 12–17 (2006)Google Scholar
  13. 13.
    Brodie, B., Taylor, D., Cytron, R.: A scalable architecture for high-throughput regular-expression pattern matching. In: the 33rd International Symposium on Computer Architecture (ISCA 2006), pp. 191–202 (2006)Google Scholar
  14. 14.
    Baker, Z., Prasanna, V., Jung, H.J.: Regular expression software deceleration for intrusion detection systems. In: The 16th International Conference on Field Programmable Logic and Applications (August 2006), pp. 1–8 (2006)Google Scholar
  15. 15.
    Yusuf, S., Luk, W., Szeto, M.K.N., Osborne, W.: Unite: Uniform hardware-based network intrusion detection engine. In: Reconfigurable Computing: Architectures and Applications, pp. 389–400 (2006)Google Scholar
  16. 16.
    Bispo, J., Sourdis, I., Cardoso, J., Vassiliadis, S.: Regular expression matching for reconfigurable packet inspection. In: Proc. of the 16th International Conference on Field Programmable Logic and Applications (FPL 2006), Madrid, SPAIN (August 2006), pp. 119–126 (2006)Google Scholar
  17. 17.
    Bispo, J., Sourdis, I., Cardoso, J., Vassiliadis, S.: Synthesis of regular expressions targeting fpgas: Current status and open issues. In: Reconfigurable Computing: Architectures, Tools and Applicatins (June 2007), pp. 179–190 (2007)Google Scholar
  18. 18.
    Moscola, J., Lockwood, J., Loui, R., Pachos, M.: Implementation of a content-scanning module for an internet firwall. In: Proc. of IEEE Workshop on FPGAs for Custom Computing Machines, Napa, CA (April 2003), pp. 31–38 (2003)Google Scholar
  19. 19.
    Sidhu, R., Prasanna, V.K.: Fast regular expression matching using fpgas. In: Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines (April 2001), pp. 227–238 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Chia-Tien Dan Lo
    • 1
  • Yi-Gang Tai
    • 1
  1. 1.Department of Computer ScienceUniversity of Texas at San Antonio 

Personalised recommendations