Scalable Multigigabit Pattern Matching for Packet Inspection
IEEE Transactions on Very Large Scale Integration (vlsi) Systems
In this paper we consider hardware-based scanning and analyzing packets payload in order to detect hazardous contents. We present two pattern matching techniques to compare incoming packets against intrusion detection search patterns. The first approach, Decoded partial CAM (DpCAM), pre-decodes incoming characters, aligns the decoded data and performs logical AND on them to produce the match signal for each pattern. The second approach, Perfect Hashing memory (PHmem), uses perfect hashing to
... ermine a unique memory location that contains the search pattern and a comparison between incoming data and memory output to determine the match. Both techniques are well suited for reconfigurable logic and match about 2,200 intrusion detection patterns using a single Virtex2 FPGA device. We show that DpCAM achieves a throughput between 2 and 8 Gbps requiring 0.58 to 2.57 logic cells per search character. On the other hand, PHmem designs can support 2 to 5.7 Gbps using a few tens of block RAMs (630-1,404 Kbits) and only 0.28 to 0.65 logic cells per character. We evaluate both approaches in terms of performance and area cost and analyze their efficiency, scalability and tradeoffs. Finally, we show that our designs achieve at least 30% higher efficiency compared to previous work, measured in throughput per area required per search character.