Partial Character Decoding for Improved Regular Expression Matching in FPGAs

Transcription

1 Partial Charater Deoding for Improved Regular Expression Mathing in FPGAs Peter Sutton Shool of Information Tehnology and Eletrial Engineering The University of Queensland Brisbane, Queensland, 4072, Australia Abstrat High-speed string pattern mathing in hardware is required in many appliations inluding Network Intrusion Detetion appliations Regular expressions are one method to implement suh mathing and are often built in FPGAs using non-deterministi finite automata (NFAs) To obtain high throughputs it is neessary to proess many bytes in This paper extends the modular NFA onstrution method of Sidhu and Prasanna to handle the proessing of many bytes in The paper also introdues the onept of partial harater deoding in whih harater math units are shared but the number of signals needed to be routed around the FPGA is redued over previous shared-deoder approahes With these approahes, throughput over 5Gbps is ahieved for the full default Snort rule-set (23401 literals) in a Xilinx Virtex FPGA Throughputs over 40Gbps are ahieved on smaller rule-sets Suggestions to improve performane are also given 1 Introdution There has been muh reent work on the topi of aelerated textual pattern mathing, and in partiular, regular expression mathing in FPGAs Muh of this has been in the ontext of Network Intrusion Detetion System (IDS) appliations - often using the rules from the Snort IDS [1] as a basis for testing A ommon and effiient method for implementing regular expression mathing in hardware is the non-deterministi finite automaton (NFA) Sine Sidhu and Prasanna [2] demonstrated how FPGAs an effiiently implement NFAs, a number of authors have presented variations on their approah whih give better performane The work presented here extends the original modular building-blok approah of Sidhu and Prasanna [2] by presenting regular expression building bloks suitable for proessing an arbitrary number of bytes in The paper also extends the work of Clark and Shimmel [3] who used a shared harater deoder to more effiiently implement NFA regular expression iruits Our results show that in most irumstanes a partial deoding approah will give better results than a full 8-to- deoding of eah harater A program has been implemented whih onverts Snort rules into regular expressions and, from these, onstruts a strutural VHDL desription of an NFA iruit whih mathes the given patterns whilst proessing multiple bytes in The onstrution method uses the extended NFA building bloks and also uses the partial deoders proposed in this paper The remainder of this paper is organised as follows Setion 2 presents some bakground information Setion 3 desribes the modular multi-byte NFA building bloks and Setion 4 desribes the partial harater deoding approah Setion 5 desribes the results from the synthesis of a number of example regular expression engines Some disussion of the results and a desription of future enhanements is presented in Setion 6 followed by some onlusions in Setion 7 2 Bakground Information This setion presents bakground information on regular expressions, NFAs, NFA implementation in hardware, the Snort Network IDS tool, and other hardware approahes to Network IDS 21 Regular Expressions A regular expression is a pattern whih desribes a string (or strings) of haraters A regular expression onsists of both haraters (from some alphabet) and meta-haraters whih have speial meaning A regular expression r an be one of the following: a single harater, or literal from the alphabet of interest - this mathes exatly that harater;

2 a onatenation of two regular expressions, r 1 r 2 - this mathes regular expression r 1 immediately followed by r 2 ; an alternation of two regular expressions, r 1 r 2 - this mathes either r 1 or r 2 ; the losure (or star) of a regular expression, r 1 * - this mathes 0 or more ourrenes of r 1 (r 1 * is the same as r 1 r 1 r 1 r 1 r 1 r 1 where is the empty (zero-length) string); or a parenthesized regular expression, (r 1 ) - this mathes r 1 (parentheses are used for overriding preedene) More omplex regular expression syntaxes with many more meta-haraters (eg + [ ]? et) are available In all ases, suh an expression an be onverted to one using only the meta-haraters above (though often at the ost of greatly inreased pattern length) 1 22 Non-Deterministi Finite Automata (NFAs) A non-deterministi finite automaton (NFA) an be thought of as a direted graph whose nodes are states [5] There is a start state and one or more aepting or final states Transitions between states are labelled by any symbol from the alphabet or by, the empty string The NFA aepts a string a 2 a n if there is a path from the start state to an aepting state with labels, a 2, a n (The label may also appear any number of times) A deterministi finite automation (DFA) is an NFA in whih there are no paths labelled with and no two outgoing paths from any state are labelled with the same symbol At most one state of a DFA is ative, whereas an NFA may have any number of ative states Any NFA an be onverted to an equivalent DFA, though in the worst ase this will take O(n 2 ) time and O(n 2 ) spae where n is the number of states in the NFA Further details on NFAs an be found in [4] 23 NFAs and Regular Expressions 1 Suh a onversion may not lead to an effiient implementation but it will lead to orret one 2 Software implementations of regular expression mathing will typially use an equivalent DFA whih an math any harater in O(1) time Note however that the onversion proess from an NFA to a DFA may be O(n 2 ) in both time and spae NFAs are suited to regular expression mathing beause there is a diret mapping from any regular expression to an NFA [5] in O(n) time where n is the length of the regular expression A software implementation of an NFA an math a harater in O(n) time 2 In hardware, however, multiple state transitions an be onsidered in so a hardware NFA an math a harater in O(1) time The implementation of regular expressions in hardware was first examined over 20 years ago when Floyd and Ullman [5] showed that an NFA regular expression iruit an be implemented effiiently using a programmable-logi array (PLA) arhiteture More reently, Sidhu and Prasanna [2] showed that NFAs were an effiient method for implementing regular expressions in FPGAs Both approahes involve a simple onversion proess using one-hot enoding of the states As desribed in the following setion, a number of researhers have examined regular expression mathing in FPGAs 24 Regular Expression Mathing in FPGAs Sine the work of Sidhu and Prasanna [2] a number of authors have presented enhanements that improve pattern mathing performane Some of these are disussed below Huthings et al [6] report on a JHDL-based module generator This uses the modular approah of Sidhu and Prasanna, but also supports additional regular expression meta-haraters?, and [] The module-generator also reognises and shares hardware between patterns with ommon prefixes Charaters to be mathed are broadast to all harater math units, but a pipelined broadast tree is implemented to improve performane Mosola et al [8] take the approah that in many ases a DFA equivalent to an NFA would atually use fewer states Beause a DFA is always in a single state, suh an approah enables the state to be aptured in a small number of bits, whih is ideal for swapping pattern mathing ontexts in and out of hardware Their work proesses a single byte at a time but uses multiple engines in to aelerate mathing 25 Snort Snort [1] is an open-soure Network Intrusion Detetion System (IDS) Snort is onfigured with a set of rules whih desribe pakets of interest and the ation whih should be taken upon reeipt of suh pakets The rules an speify both paket header information (eg soure and/or destination IP addresses, port numbers et) as well as paket ontent information to be mathed against An example Snort rule (with some detail omitted) is: alert tp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"exploit LPRng overflow"; flow: to_server,established; ontent: " B 08 8D 4B C B0 0B CD C0 FE C0 CD 80 E8 94 FF FF FF 2F E 2F A "; )

3 The rule speifies the ation to take (alert), the protool (tp), the soure and destination IP addresses and ports, some harateristis of the onnetion (flow: option) and the ontent to be mathed (ontent: option), in this ase expressed as a sequene of hexadeimal harater values Snort rules are often used as example patterns for FPGA-based pattern mathing implementations beause they represent a large real-world set of patterns 26 Other Approahes for Network IDS on FPGAs Network IDS implementations on FPGAs need not be based on NFAs or even regular expressions Other approahes have inluded (but are not limited to) DFAs [8], variations on the Knuth-Morris-Pratt (KMP) algorithm [9], Bloom filters [10], and ontent-addressable memory (CAM) based approahes [11],[12] This paper onentrates on the issue of effiiently implementing regular expression mathing in FP- GAs rather than Network IDS per se Network IDS, in the form of Snort rules, is used as the example domain 3 Regular Expression NFA Building Bloks i (a) () (b) i 1 i 2 o 1 o 2 o i 1 i 2 i 3 i 4 o 1 o 2 o 3 o 4 Building on the work of Sidhu and Prasanna [2], a building-blok approah to the onstrution of NFA iruits whih math regular expressions against multi-byte inputs is presented Regular expressions desribe patterns in a given alphabet of haraters In Network Intrusion Detetion appliations, the alphabet is the set of all possible byte values (ranging numerially from 0 to 255 if onsidered as an unsigned value) Implementations of regular expression engines (in both software and hardware) usually onsider one inoming symbol at a time As network speeds aelerate, Network Intrusion Detetion appliations have inreasing performane requirements, eg, needing to san network traffi at throughputs of many giga-bits per seond (Gbps) Suh throughputs are relatively easy to obtain in hardware, provided that more than one byte of the input stream an be sanned simultaneously in The easiest way to get greater performane (throughput) from a pattern mathing iruit is to extend it to handle multiple-bytes in Sidhu and Prasanna s single byte mathing unit (Fig 1 (a)) an be extended to handle multiple bytes in as Figure 1 Single harater NFA building bloks for (a) single byte mathing, (b) two bytes at a time, and () four bytes at a time Eah C blok is a harater math unit shown in Fig 1 (b) and () In eah ase, the flip-flop holds the NFA state bit For the single-byte ase, a 1 stored in the flipflop means that if the urrent harater passes the harater math unit C, then we enable the subsequent state (ie output o will be high) The multi- (n) byte ase extends the byte mathing unit to have n harater math units - one examining eah byte of the n-byte input data If the flip-flop holds a 1, output o 2 will be high if byte one mathes the given harater - ie the iruit is indiating to the next stage that it should look for math on byte two If i 2 is high, o 3 will be high if byte two mathes the required harater Similarly, if input i n is high, o 1 will be high if byte n mathes the required harater The o 1 signal will be the i 1 input to a subsequent stage and will be lathed by its flip-flop Effetively this means that if the last byte of our group of bytes mathed the required harater, we ll be looking for the next math in the first byte of the next group of bytes

4 i 1 i n o 1 o 2 o n i 1 i n o 1 o 2 o n i 1 i n o 1 o n i o i o r1 r2 i o r1 i o r2 i o r1 (a) (b) () Figure 2 Multi-byte regular-expression NFA building bloks for ombination elements: (a) onatenation: r1r2, (b) alternation: r1 r2 and () star: r1* The resulting iruit from grouping suh bloks will be similar to the multi-byte approah presented by Cho et al in [14] but does not break up the pattern into N-byte hunks (repeated at eah of the N possible offsets) Sourdis and Pnevmatikatos [7] also present a multi-byte approah in whih the pattern is repeated at different offsets The approah presented here allows for a building-blok approah to the onstrution of an NFA and is oneptually leaner In addition to the multi-byte harater mathing blok, the single byte onatenation, alternation and star bloks of Sidhu and Prasanna an be extended to multiple bytes as shown in Fig 2 In the ase where n=1, the iruits redue to those shown in [2] A tool has been implemented in Tl [13] whih reads patterns in the format of Snort rules, forms regular expression parse trees, and then generates strutural VHDL desribing an NFA iruit whih mathes the given patterns The final alternation (ie or ombination) of all the patterns in the rule-set uses a pipelined or-tree so as not to be a bottle-nek The number of bytes to be onsidered in is an input parameter to the tool Charater math units generated by the tool take advantage of shared partial deoders as desribed in the following setion 4 Partial Charater Deoding Sidhu and Prasanna s approah (and that of many others) distributes eah input harater to eah harater math unit in the iruit and repliates omparators Clark and Shimmel [3] desribe a shared harater-deoder approah An 8-to- deoder is used to generate a single-bit math signal for eah harater These single-bit signals are then distributed to the appropriate harater math units, removing the overhead of distributing an 8-bit harater to eah harater math unit and performing redundant harater omparisons This approah saves logi resoures but does require a large number of global signals to be distributed around the FPGA Our work extends this approah by onsidering partial shared harater deoding Partial deoding means that instead of deoding all 8 bits of eah harater, we deode groups of bits within eah harater In this work, we onsidered breaking the 8 bits of eah harater into 1,2,3,4 and 8 groups as shown in Fig 3 (One group of 8 bits is not partial deoding - we onsider this deoding option to enable omparison between this approah and partial deoding) Shared partial deoding allows trade-offs between the amount of logi shared amongst the whole iruit (ie the number and size of the harater deoders) and the number of signals whih have to be routed around the FPGA As shown in Fig 3, the number of signals whih need to be distributed around the FPGA redues as the number of deoding groups inreases With full 8- to- deoding for eah harater, up to signals need to be distributed around the FPGA 3 from our shared deoder blok (though eah math unit will only need one of these signals) With four 2-to-4 deoders, for example, only 16 signals need to be distributed around the FPGA (though on average, eah signal will be needed in 16 times more plaes than with 8-to- deoding) If multiple (n) bytes are being proessed in, the number of signals to be distributed must be multiplied by n Partial deoding does inrease the omplexity of the harater math units With 8-to- deoding, the harater math unit (shown as bloks labelled C in Fig 1) beomes just a wire (as shown in Fig 4(a)) With partial deoding, an AND gate is required in eah harater math unit Fig 4 shows the required harater math units (ie C bloks) for eah of the partial deodings onsidered It is hypothesized that the ost of this is negligible given that the output 3 Fewer signals (and deoders) are needed if the pattern-spae does not use all possible haraters

5 (a) (b) () (d) (e) a 2 a 255 a 2 5 b 0 b 1 b 2 b Figure 3 Charater deoding options onsidered in this paper: (a) Eah harater is fully deoded (b) Eah harater is broken into two groups of four bits eah () Eah harater is broken into three groups of 3,3,2 bits (d) Eah harater is broken into four groups of 2 bits eah (e) Eah harater is broken into individual bits a 7 b 0 b 1 b a 2 a 3 b 0 b 1 b 2 b d 0 d 1 d 2 d 3 16 b 0 b d 0 d 1 e 0 e 1 f 0 f 1 g 0 g 1 h 0 h 1 16 (a) (b) () (d) (e) Figure 4 Charater math units required for eah of the five deoding options shown in Fig 3 of the harater math unit is ANDed with the urrent NFA state bit or other input (as shown in Fig 1) 5 Experimental Results In this setion we present the results of ombining partial-harater deoding with the modular onstrution of multi-byte regular expression NFAs A number of rule sets are onsidered We hose to target the Xilinx Virtex (speed grade 5) and Xilinx Virtex-E 2000 (speed grade 7) sine those devies are used as examples in a number of related studies 51 Rule-sets A number of rule-sets were onsidered in the experiments These were subsets of the Snort 200 ruleset as follows: web-attaks - the set of rules in the file web-attaksrules sql - the set of rules in the file sqlrules web-iis - the set of rules in the file web-iisrules default - the set of rules enabled by default in the 200 rule-set (ie those rules inluded in the snortonf file) Various harateristis of these rule-sets are shown in Table 1 The number of ontent patterns refers to the total number of ontent: or uriontent: strings in the rule-set The number of literals is the total number of haraters in eah of the ontent patterns for that rule-set The smaller rulesets were hosen based on their relative size (an approximate doubling of the number of literals from set to set) Table 1: Experimental rule-set harateristis Name Number of rules Number of ontent patterns Number of literals web-attaks sql web-iis default A number of artifiial rule sets of various sizes and lengths (with low inter-pattern ommonality) were also tested but results for these are not presented as little is added to the data presented below

6 52 Methodology Strutural VHDL was generated (by the tool desribed earlier) for eah of the iruits under test The design was passed through a standard Xilinx ISE 61 tool flow (xst, ngdbuild, map, par) with default options The only onstraint speified was the target lok period, whih was hosen to be 125 times the predited lok period reported by the synthesis tool This resulted in some designs being overonstrained (failing to meet the timing onstraint) and some underonstrained (easily meeting the timing onstraint) In all ases, the lok period (and hene maximum frequeny) reported is the Atual value reported by the plae-and-route tool The throughput reported (in Gbps) is the maximum frequeny obtained (in MHz) multiplied by 8 multiplied by the number of bytes being proessed in divided by 1024 For all of the rule-sets exept the largest ( default ), VHDL was generated, synthesized, plaed and routed for eah ombination of: the two devies being onsidered; the five deoding options; and the proessing of 1,2,3,4,5,6,7,8,10,12,14 and 16 bytes in For the large default rule set, only the proessing of 1,2 and 3 bytes in was onsidered for some of the five deoding options and only on the larger Virtex 2 devie Some ombinations were beyond the memory apaity of the omputer onerned even though the devie was not fully utilized 53 Performane Tables 2, 3, 4, and 5 show the results for the various rule-sets on the Virtex devie The tables list the throughput (in Gbps) for the given ombination of number of bytes proessed in and the style of harater deoding The number in parentheses in eah table entry is the proportion of 4-input lookup-tables (LUTs) utilized in the devie For eah given number of bytes proessed in, the deoding option whih produed the greatest throughput is shaded light gray Table 6 shows the results for the web-attaks rule-set on the Virtex-E 2000 devie Other results for this devie are omitted A disussion of the results is presented below 6 Disussion The most important onlusion to draw from the experimental results is that there is no obvious relationship between the style of harater deoding and the best performane (throughput) For any given rule-set and number of bytes to be proessed in, any one of the harater deoding styles ould produe the best performane The best hoie also depends on the devie hosen - for the web-attaks Table 2: Gbps throughput (LUT utilization%) for web-attaks rule-set on Virtex Bytes in () (05%) 268 (05%) 306 (05%) 268 (05%) 308 (2%) (06%) 536 (06%) 543 (08%) 461 (07%) 521 (3%) (08%) 863 (1%) 788 (13%) 7 (11%) 86 (34%) (12%) 106 (14%) 881 (17%) 843 (16%) 113 (4%) (17%) 137 (18%) 110 (22%) 135 (22%) 130 (48%) (21%) 133 (21%) 140 (27%) 153 (27%) 160 (54%) (25%) 168 (26%) 165 (33%) 167 (32%) 182 (62%) (3%) 193 (3%) 195 (37%) 194 (38%) 208 (63%) (38%) 239 (39%) 25 (47%) 235 (49%) 251 (8%) (46%) 272 (48%) 300 (57%) 280 (58%) 305 (89%) (54%) 351 (57%) 347 (67%) 365 (69%) 354 (102%) (62%) 399 (67%) 401 (75%) 401 (78%) 389 (108%) Table 3: Gbps throughput (LUT utilization%) for sql rule-set on Virtex Bytes in () (07%) 276 (07%) 285 (07%) 283 (07%) 33 (32%) (08%) 526 (08%) 486 (1%) 533 (11%) 429 (4%) (1%) 85 (11%) 771 (14%) 788 (2%) 659 (56%) (14%) 103 (15%) 107 (18%) 114 (25%) 884 (61%) (2%) 137 (2%) 131 (24%) 131 (28%) 108 (77%) (26%) 146 (25%) 139 (29%) 180 (35%) 13 (88%) (3%) 167 (29%) 168 (34%) 206 (38%) 151 (101%) (37%) 191 (34%) 191 (39%) 229 (44%) 162 (111%) (47%) 233 (43%) 235 (5%) 251 (54%) 206 (127%) (56%) 299 (54%) 230 (59%) 309 (64%) 237 (156%) (66%) 358 (63%) 360 (72%) 357 (76%) 329 (155%) (76%) 392 (74%) 388 (82%) 397 (85%) 329 (194%) Table 4: Gbps throughput (LUT utilization%) for web-iis rule-set on Virtex Bytes in () (23%) 319 (23%) 331 (22%) 278 (23%) 312 (46%) (26%) 511 (26%) 443 (32%) 445 (42%) 468 (56%) (3%) 813 (37%) 67 (5%) 631 (63%) 899 (91%) (42%) 893 (53%) 903 (65%) 879 (82%) 103 (105%) (59%) 111 (71%) 113 (84%) 112 (97%) 134 (147%) (76%) 128 (85%) 133 (103%) 130 (115%) 154 (167%) (91%) 151 (101%) 143 (119%) 147 (132%) 184 (195%) (109%) 218 (118%) 195 (139%) 170 (15%) 199 (216%) (14%) 212 (153%) 223 (181%) 210 (191%) 234 (266%) (165%) 255 (188%) 247 (218%) 249 (225%) 260 (314%) 14 Failed 301 (227%) 351 (258%) 303 (263%) 354 (366%) 16 Failed 392 (267%) 382 (301%) 347 (305%) 392 (414%) Table 5: Gbps throughput (LUT utilization%) for default rule-set on Virtex Bytes in 1 Failed 236 (202%) 2 Failed 392 (227%) 3 Failed 512 (285%) () (202%) 373 (364%) 513 (611%) 266 (203%) 356 (418%) 296 (613%) 252 (235%) 277 (389%) Did not fit

7 Table 6: Gbps throughput (LUT utilization%) for web-attaks rule-set on Virtex-E 2000 Bytes in () 3 rule-set (and also the other rule-sets, although these results are not shown) the best deoding option differed for the Virtex-E and Virtex-2 devies onsidered This is likely to be beause a devie s balane between logi and routing resoures may determine the most appropriate deoding approah for any given rule-set It should be noted that in all but a few ases, the full harater-deoding option (8-to- deoding) did not produe the best performane In most ases, however, it did produe the best logi utilization As expeted, throughput improves as the number of bytes proessed in inreases For the three smaller rule-sets, proessing 16 bytes in gave throughputs (for the best deoding option) at or near 40Gbps The best performane ahieved for the default rule-set was 513 Gbps when proessing 3 bytes in with three shared harater deoders (3-to- 8, 3-to-8 and 2-to-4) Higher performane is likely to be possible 61 Further Advantages of Partial Deoding Although not applied here, partial deoding of haraters would also allow improved implementation of pattern ranges (inluding ase-insensitivity) A redued number of signals and assoiated AND logi will be needed to math a range of haraters, eg, in the 4 deoder ase, only 3 of the 4 signals are needed to deode a pattern range in whih one of the 4 groups is wild (ie two of the bits of the harater are wild) 62 Further Optimizations (09%) 167 (09%) 208 (09%) 176 (09%) 185 (35%) (11%) 303 (11%) 344 (14%) 338 (12%) 328 (53%) (15%) 49 (18%) 489 (23%) 459 (2%) 466 (6%) (21%) 652 (24%) 579 (31%) 498 (29%) 605 (7%) (29%) 719 (31%) 642 (39%) 72 (39%) 768 (84%) (37%) 8 (38%) 821 (49%) 786 (47%) 876 (95%) (44%) 977 (46%) 964 (58%) 883 (56%) 974 (108%) (52%) 983 (53%) 111 (66%) 986 (67%) 103 (111%) (66%) 128 (69%) 131 (83%) 125 (84%) 139 (14%) (81%) 150 (85%) 154 (10%) 157 (102%) 163 (157%) (95%) 172 (101%) 173 (117%) 195 (121%) 180 (18%) (11%) 210 (118%) 206 (133%) 201 (138%) 202 (189%) A number of further optimizations are possible, inluding many that others have reported on Clark and Shimmel [3] implement prefix tree optimization in whih iruitry is eliminated for patterns with ommon prefixes This ourred in our work only to the extent that the synthesis tool reognised ommon logi Adding the apability to the iruit generator might redue synthesis time and give improved results Little attempt was made at pipelining in this work (other than the final or-ombination) As shown in [6], extensive fine-grained pipelining an produe even better performane (at the ost of lateny) An extension to support further regular expression meta-haraters may also redue generated iruit size as also shown in [6] 7 Conlusions This paper has presented an extension to the modular regular-expression to NFA onstrution method of Sidhu and Prasanna in order to handle multiple bytes in in an equivalent modular fashion The paper has also introdued the idea of shared partial harater deoding and demonstrated that full shared harater (8-to-) deoding is usually not the best approah to ahieve the best throughput The ideal partial deoding option has been experimentally shown to be dependent on the FPGA devie onerned, the number of bytes to be proessed in and the patterns to be implemented A program has been written whih onverts Snort rules to regular expressions and then applies the multi-byte modular NFA onstrution method to produe iruits whih math given patterns using a partiular deoding method and proessing a given number of bytes in The iruits generated are able to math against the omplete default Snort rule set at a throughput of over 5Gbps in a Xilinx Virtex devie Throughputs over 40Gbps are ahieved on smaller rule-sets Future work will involve inorporating further optimizations into the iruit generation program Referenes [1] (Aessed 1 June 2004) [2] Sidhu, R and Prasanna, VK, Fast Regular Expression Mathing using FPGAs, in Proeedings of 9th Annual IEEE Symposium on Field-Programmable Custom Computing Mahines (FCCM 01), April 2001 [3] Clark, CR and Shimmel, DE, Effiient Reonfigurable Logi Ciruits for Mathing Complex Network Intrusion Detetion Patterns, in Proeedings of FPL 2003, LNCS 2778, pp , Sep 2003 [4] Hoproft, JE and Ullman, JD, Introdution to Automata Theory, Languages and Computation Addison Wesley, Reading, MA, 1979 [5] Floyd, RW and Ullman, JD, The Compilation of Regular Expressions into Integrated Ciruits, Journal of ACM, vol 29, no 3, pp , July 1982 [6] Huthings, BL, Franklin, R and Carver, D, Assisting Network Intrusion Detetion with Reonfigurable

8 Hardware, in Proeedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Mahines (FCCM 02), April 2002 [7] Sourdis, I and Pnevmatikatos, D, Fast, Large-Sale String Math for 0Gbps FPGA-Based Network Intrusion Detetion System, in Proeedings of FPL 2003, LNCS 2778, pp , Sep 2003 [8] Mosola, J, Lokwood, J, Loui, RP and Pahos, M, Implementation of a Content-Sanning Module for an Internet Firewall, in Proeedings of 11th Annual IEEE Symposium on Field-Programmable Custom Computing Mahines (FCCM 03), April 2003 [9] Baker, ZK and Prasanna, VK, Time and Area Effiient Pattern Mathing on FPGAs, in Proeedings of FPGA 04, February 2004 [10] Dharmapurikar, S, Krishnamurthy, P, Sproull, TS and Lokwood, JW, Deep Paket Inspetion Using Parallel Bloom Filters, IEEE Miro, pp 52-61, Jan/ Feb 2004 [11] Gokhale, M, Dubois, D, Dubois, A, Boorman, M, Poole, S and Hogsett, V, Granidt: Towards Gigabit Rate Network Intrusion Detetion Tehnology, in Proeedings of FPL 2002, LNCS 2438, pp , Sep 2002 [12] Li, S, Torresen, J and Soraasen, O, Exploiting Reonfigurable Hardware for Network Seurity, in Proeedings of 11th Annual IEEE Symposium on Field-Programmable Custom Computing Mahines (FCCM 03), April 2003 [13] (Aessed 1 June 2004) [14] Cho, YH, Navab, S, Mangione-Smith, WH, Speialized Hardware for Deep Network Paket Filtering, in Proeedings of FPL 2002, LNCS 2438, pp , Sep 2002